gh0strat | df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c

General

Target

df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe
Size

1.2MB
MD5

ee314caa19f51ff2010bf31bd89c0d45
SHA1

54579d7258c887b2ffbcc963d0f090b9fec91931
SHA256

df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c
SHA512

64bc4978c4e09cfec6aa8166d20db5e11d83b086c7c3ba7727ac1d1c7174c7b3fe9b717f536d28c47e58023370389e03f6ec34b40f13002cd93f7b0cf5fe52ad
SSDEEP

24576:5068q4ii3ZfYGKGKrBJXkvkrcwlyDghKFroghjeezMjjm6JK0Sx0p0t:Otr339YGKGKv9czgh0vaeWvJK0gH

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2132-22-0x0000000010000000-0x000000001000F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2132	cellinst.exe

Loads dropped DLL 2 IoCs

pid	Process
2100	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe
2100	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2100-0-0x0000000000400000-0x00000000007DB000-memory.dmp	vmprotect
behavioral1/memory/2100-1-0x0000000000400000-0x00000000007DB000-memory.dmp	vmprotect
behavioral1/memory/2100-25-0x0000000000400000-0x00000000007DB000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2132	cellinst.exe
Token: SeIncBasePriorityPrivilege	2132	cellinst.exe
Token: 33	2132	cellinst.exe
Token: SeIncBasePriorityPrivilege	2132	cellinst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2568	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2100	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe
2100	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe
2100	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2132	2100	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe	29
PID 2100 wrote to memory of 2132	2100	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe	29
PID 2100 wrote to memory of 2132	2100	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe	29
PID 2100 wrote to memory of 2132	2100	df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe	29

C:\Users\Admin\AppData\Local\Temp\df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe
"C:\Users\Admin\AppData\Local\Temp\df1cbce0169bf74376f9c777c704a5128ec37966359c8ffad8d8d820f876a78c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\DTLSoft\cellinst.exe
  C:\DTLSoft/cellinst.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2132

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DTLSoft\cellinst.exe

Filesize
92KB

MD5
921e902873061cf84db0f51cfba1a55e

SHA1
1b3565c7b4450e3c7a66339c81a565be66ca6da7

SHA256
4032442d59974bb4103e936c11cb66ff75f416f7cf85ec4ad3df26aa1438e4c9

SHA512
82e57f7f07146aedc80f5c92f39e4e7bd6611a680c727475c3d17658c7c768a4f22a49f8a56f4df0d31f7d864857ac6e7821f037dd3d04948cee63c130d13053

Download Submit
C:\DTLSoft\cellinst.exe

Filesize
143KB

MD5
d9c7fbb5aebff80dcc4335d272e5b151

SHA1
b7fef8202dd4315c5d856ebc0cde7ea18aaf77d0

SHA256
6699f04b2c092ad66b0cf1ddf2f0c0178fe8f40d61fde353b8d90caee6745465

SHA512
f9114a353b219a40da494cd3a1c2e03aa2ae8b3744baf2c99cc03ecd04e7fb44aa76a7e276bf62240d543ba8e755ead175315bdb1c1f351bf52a9302314a13ef

Download Submit
\DTLSoft\cellinst.exe

Filesize
353KB

MD5
d70ec4e5e788651ea5a0d694962e603f

SHA1
18184070d81f1afb6329c4fd5167fc53e283935a

SHA256
813829bd350b8aff8dbc058cb90a5c47d02712d16f31a6a9d075dd27ceee0c1c

SHA512
720986ebb0fdef0a52913727ba9e7ae75b84c9b901f383d9dd90e589366f5cca3461a48d7cb6493f5c6fc7e6ea69aac6dc5156ffef49e2dcff58ec81b6f10856

Download Submit
\DTLSoft\cellinst.exe

Filesize
544KB

MD5
8efd25671f617473559ca9ae2254af58

SHA1
f77806256e7fb7555651c78e6a9a8ce534c7a738

SHA256
f4e56ad9e9a0304eaa3084a642a61f668d17365c7a6935019234c65568c2a2cc

SHA512
117219dcf7b5fe1f221ec7509ec3c9ed3b2f2725870c7f753782bcb5960ef256b72b85e4b0564a0222c71bb602eabb29e11454ae41ba1c5b86bfd75c76beaac1

Download Submit
memory/2100-0-0x0000000000400000-0x00000000007DB000-memory.dmp

Filesize
3.9MB

Download
memory/2100-1-0x0000000000400000-0x00000000007DB000-memory.dmp

Filesize
3.9MB

Download
memory/2100-9-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

Filesize
8KB

Download
memory/2100-25-0x0000000000400000-0x00000000007DB000-memory.dmp

Filesize
3.9MB

Download
memory/2132-22-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2568-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2568-10-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2568-26-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing