gh0strat | d3d68d7b09e5f02219129c961513b2ce084d13f0a3bdb9d1c7898fab18426df6

General

Target

e.exe
Size

3.7MB
MD5

569aaee0d37aaf2cc146f8365fbfee0f
SHA1

abd07815d8c40c711a0a2dba8ed07b8f7c4d6ca7
SHA256

d3d68d7b09e5f02219129c961513b2ce084d13f0a3bdb9d1c7898fab18426df6
SHA512

1e59961fe4f89e014ad740a8df52925d63277be30874b7a46225b533028447dc0168ef3c83861b1174de5a72db9d3b135732860e26dfcd43cc74aef1c1884ea7
SSDEEP

98304:AI8xdgcmkuT93Cvmtud9LS51a+FsffmzSvV5/JbPPMYZAvl:AI8/gcYEVdFfmzSvV5/xUY2N

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3472-40-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral3/memory/3472-41-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral3/memory/3472-44-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat
behavioral3/memory/3472-45-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

e.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation e.exe
Executes dropped EXE 2 IoCs

Processes:

render.exerender.exe

pid process

3472 render.exe
5012 render.exe
Loads dropped DLL 2 IoCs

Processes:

render.exerender.exe

pid process

3472 render.exe
5012 render.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	e.exe

pid	process
3472	render.exe
5012	render.exe

pid	process
3472	render.exe
5012	render.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/3472-36-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral3/memory/3472-40-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral3/memory/3472-41-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral3/memory/3472-44-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral3/memory/3472-45-0x0000000010000000-0x0000000010011000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

e.exerender.exe

pid	process
3352	e.exe
3352	e.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe
3472	render.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e.exe

pid process

3352 e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e.exerender.exe

description	pid	process	target process
PID 3352 wrote to memory of 3472	3352	e.exe	render.exe
PID 3352 wrote to memory of 3472	3352	e.exe	render.exe
PID 3352 wrote to memory of 3472	3352	e.exe	render.exe
PID 3472 wrote to memory of 5012	3472	render.exe	render.exe
PID 3472 wrote to memory of 5012	3472	render.exe	render.exe
PID 3472 wrote to memory of 5012	3472	render.exe	render.exe

C:\Users\Admin\AppData\Local\Temp\e.exe
"C:\Users\Admin\AppData\Local\Temp\e.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352

C:\recovery\render.exe
"C:\recovery\render.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472

C:\recovery\render.exe
C:\recovery\render.exe --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=书生ERP --annotation=ver=-devel --handshake-handle=0x214
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\a6.txt

Filesize
1KB

MD5
b88a95ec3224ecf4ebcb53be37a31402

SHA1
72d4e42691713d59d4b698a274b0ac61d17b1e66

SHA256
d64f765ea386b9dea471488c9de23eb6cff908a88c3c72bd7de1a5247dcb8a3b

SHA512
38b0c1622a3d4ea6afeb2ff09067f18ec8a82038d037ca50fe13883e98799cc3216baba3713098ceb06887f13498ecdec7a5e6d450ada34591a9288d06a8c117

Download Submit
C:\Recovery\nw_elf.dll

Filesize
164KB

MD5
eba91a9e5471e7b41095c837798e0d85

SHA1
4abed5d2cb3dca76e88686d225a42db3276e891a

SHA256
65e26b4b3af1ebbb45aba57a38dc6926ca2c40e33e134d115fa7c4c3c322dc2d

SHA512
b4b1684003af5cbca82b6b9a76a129b3bddc961e3629cd148be692ce123175f645a486db807c0fb979ad5293007e65439fcdc531ae75bb97a193d7160f2d80c7

Download Submit
C:\Recovery\nw_elf.dll

Filesize
164KB

MD5
eba91a9e5471e7b41095c837798e0d85

SHA1
4abed5d2cb3dca76e88686d225a42db3276e891a

SHA256
65e26b4b3af1ebbb45aba57a38dc6926ca2c40e33e134d115fa7c4c3c322dc2d

SHA512
b4b1684003af5cbca82b6b9a76a129b3bddc961e3629cd148be692ce123175f645a486db807c0fb979ad5293007e65439fcdc531ae75bb97a193d7160f2d80c7

Download Submit
C:\Recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Recovery\render.exe

Filesize
1.0MB

MD5
a182097a3169f5924c29d107c0b4b5a4

SHA1
8c5e7ff7a8b62de893a3cb6dad3fc028435ead92

SHA256
a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01

SHA512
0f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d

Download Submit
C:\Users\Admin\AppData\Local\Crashpad\settings.dat

Filesize
40B

MD5
f10034d741216e34c85a0fdebfaf222f

SHA1
175efc030738147767a6144dfcded3711d730c77

SHA256
7fb9abd438acea4d31c2641a9cb77d6e2e9a58b7d732721675bdb5bb4bb7a596

SHA512
f87d9fb43d819a51c2fa7f88b39b3a3b6efd26d4e04b5cd685d65d48d6e8b8cdc8feed905cffa4e18c551f5541e1b89a272ce3bd9553a0e9118f66d1dc762e16

Download Submit
C:\recovery\nw_elf.dll

Filesize
164KB

MD5
eba91a9e5471e7b41095c837798e0d85

SHA1
4abed5d2cb3dca76e88686d225a42db3276e891a

SHA256
65e26b4b3af1ebbb45aba57a38dc6926ca2c40e33e134d115fa7c4c3c322dc2d

SHA512
b4b1684003af5cbca82b6b9a76a129b3bddc961e3629cd148be692ce123175f645a486db807c0fb979ad5293007e65439fcdc531ae75bb97a193d7160f2d80c7

Download Submit
memory/3352-6-0x0000000002F10000-0x0000000002F2E000-memory.dmp

Filesize
120KB

Download
memory/3352-7-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/3472-34-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3472-35-0x0000000001160000-0x00000000011AE000-memory.dmp

Filesize
312KB

Download
memory/3472-36-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3472-40-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3472-41-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3472-44-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3472-45-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads