gh0strat | 48de6adcb1e991d01fde17b73ec8e5441644e08065ff224bbd53dfbdf51d19d5

General

Target

34c2d37434cb06c2874a49419d59ab45.exe
Size

228KB
MD5

34c2d37434cb06c2874a49419d59ab45
SHA1

262fdec6d7ce86ddf2fbf35ec0fa466522bd9428
SHA256

48de6adcb1e991d01fde17b73ec8e5441644e08065ff224bbd53dfbdf51d19d5
SHA512

ab355b7eebbe651ad4681a89d8e46b0ec02eb1940a7110323a04a091dd439b3b888c86f7a88ecbc0ff8581e4340b54b670b318eec5d748bd8d89c923bc7df516
SSDEEP

6144:93ouBn5oP8qxFrthTZW2665Qu46uYF4gK4:7Bn5oP8qxFrXv665Qu46uYe

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4456-8-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4948-16-0x0000000000400000-0x0000000000438484-memory.dmp	family_gh0strat
behavioral2/memory/4456-11-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4456	appapp.exe

Loads dropped DLL 1 IoCs

pid	Process
4456	appapp.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\cqfihq.vbs	34c2d37434cb06c2874a49419d59ab45.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1012	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4352	4456	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4948	34c2d37434cb06c2874a49419d59ab45.exe
4948	34c2d37434cb06c2874a49419d59ab45.exe
4948	34c2d37434cb06c2874a49419d59ab45.exe
4948	34c2d37434cb06c2874a49419d59ab45.exe
4948	34c2d37434cb06c2874a49419d59ab45.exe
4948	34c2d37434cb06c2874a49419d59ab45.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4456	4948	34c2d37434cb06c2874a49419d59ab45.exe	96
PID 4948 wrote to memory of 4456	4948	34c2d37434cb06c2874a49419d59ab45.exe	96
PID 4948 wrote to memory of 4456	4948	34c2d37434cb06c2874a49419d59ab45.exe	96
PID 4948 wrote to memory of 3320	4948	34c2d37434cb06c2874a49419d59ab45.exe	112
PID 4948 wrote to memory of 3320	4948	34c2d37434cb06c2874a49419d59ab45.exe	112
PID 4948 wrote to memory of 3320	4948	34c2d37434cb06c2874a49419d59ab45.exe	112
PID 4948 wrote to memory of 672	4948	34c2d37434cb06c2874a49419d59ab45.exe	111
PID 4948 wrote to memory of 672	4948	34c2d37434cb06c2874a49419d59ab45.exe	111
PID 4948 wrote to memory of 672	4948	34c2d37434cb06c2874a49419d59ab45.exe	111
PID 4948 wrote to memory of 1012	4948	34c2d37434cb06c2874a49419d59ab45.exe	109
PID 4948 wrote to memory of 1012	4948	34c2d37434cb06c2874a49419d59ab45.exe	109
PID 4948 wrote to memory of 1012	4948	34c2d37434cb06c2874a49419d59ab45.exe	109
PID 4948 wrote to memory of 5092	4948	34c2d37434cb06c2874a49419d59ab45.exe	108
PID 4948 wrote to memory of 5092	4948	34c2d37434cb06c2874a49419d59ab45.exe	108
PID 4948 wrote to memory of 5092	4948	34c2d37434cb06c2874a49419d59ab45.exe	108
PID 672 wrote to memory of 4148	672	cmd.exe	104
PID 672 wrote to memory of 4148	672	cmd.exe	104
PID 672 wrote to memory of 4148	672	cmd.exe	104
PID 672 wrote to memory of 1492	672	cmd.exe	103
PID 672 wrote to memory of 1492	672	cmd.exe	103
PID 672 wrote to memory of 1492	672	cmd.exe	103

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4524	attrib.exe
3668	attrib.exe

C:\Users\Admin\AppData\Local\Temp\34c2d37434cb06c2874a49419d59ab45.exe
"C:\Users\Admin\AppData\Local\Temp\34c2d37434cb06c2874a49419d59ab45.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Sofe0\appapp.exe
  C:\Sofe0\appapp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 676
    3⤵
    - Program crash
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
  2⤵
  PID:5092
- C:\Windows\SysWOW64\sc.exe
  sc config DcomLaunch start= auto
  2⤵
  - Launches sc.exe
  PID:1012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Sofe0\common\lanmao.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe "C:\WINDOWS\system32\cqfihq.vbs"
  2⤵
  PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4456 -ip 4456
1⤵
PID:2716

C:\Windows\SysWOW64\attrib.exe
attrib +H +R "C:\Users\Admin\AppData\Local\Temp\84018c44d2a03266a0e95d07765bde86.dat"
1⤵
- Views/modifies file attributes
PID:4524

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Temp\84018c44d2a03266a0e95d07765bde86.dat" /T /P everyone:N
1⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
1⤵
PID:2832

C:\Windows\SysWOW64\attrib.exe
attrib +H +R "C:\Sofe0"
1⤵
- Views/modifies file attributes
PID:3668

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Local\Temp" /T /P everyone:F
1⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4456-8-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4456-11-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4948-0-0x0000000000400000-0x0000000000438484-memory.dmp

Filesize
225KB

Download
memory/4948-16-0x0000000000400000-0x0000000000438484-memory.dmp

Filesize
225KB

Download

Analysis

Sharing