gh0strat | 75f785ffbadc7cc740bde0ed0c60159b1d380e203963228b5da20a94d4aa4a36

General

Target

koori.exe
Size

9KB
MD5

0162ec0da9b029460e325b7b68d8cf31
SHA1

412f6cbde7b5dcb14114f5fb96764d3ba52118e5
SHA256

9b1f69c467acd244144b6a52a2e9063b25b4ded4b96a9845ab043fbd354531d1
SHA512

218f570021b2fae8717df5d4acde3b45f3bab7fcf78ff7cb8f3d70ac37e06d066ee566aa5ef6a11b6a2644165961bebf8f2d7f305ce55be0b3d85db7f7d040ed
SSDEEP

192:COp/kxZ5h2xeqprlU6kZ01lZGOXDVqcR1z:CO5kT5oeqprlUvulDVLR1

Score

10^/10

gh0strat rat

Malware Config

Extracted

Family

gh0strat

C2

47.76.161.35

Signatures

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4964-36-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral2/memory/4964-39-0x0000000002410000-0x0000000002426000-memory.dmp	family_gh0strat
behavioral2/files/0x000700000002323a-34.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

koori.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	koori.exe

Executes dropped EXE 3 IoCs

Processes:

1.exetgp_daemon.exe.exe360Saf.exe

pid	Process
4232	1.exe
2796	tgp_daemon.exe.exe
4964	360Saf.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

360Saf.exe

description	ioc	Process
File opened (read-only)	\??\Y:	360Saf.exe
File opened (read-only)	\??\G:	360Saf.exe
File opened (read-only)	\??\L:	360Saf.exe
File opened (read-only)	\??\Q:	360Saf.exe
File opened (read-only)	\??\R:	360Saf.exe
File opened (read-only)	\??\V:	360Saf.exe
File opened (read-only)	\??\W:	360Saf.exe
File opened (read-only)	\??\X:	360Saf.exe
File opened (read-only)	\??\B:	360Saf.exe
File opened (read-only)	\??\H:	360Saf.exe
File opened (read-only)	\??\M:	360Saf.exe
File opened (read-only)	\??\U:	360Saf.exe
File opened (read-only)	\??\E:	360Saf.exe
File opened (read-only)	\??\I:	360Saf.exe
File opened (read-only)	\??\J:	360Saf.exe
File opened (read-only)	\??\P:	360Saf.exe
File opened (read-only)	\??\S:	360Saf.exe
File opened (read-only)	\??\T:	360Saf.exe
File opened (read-only)	\??\Z:	360Saf.exe
File opened (read-only)	\??\K:	360Saf.exe
File opened (read-only)	\??\N:	360Saf.exe
File opened (read-only)	\??\O:	360Saf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360Saf.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	360Saf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	360Saf.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

1.exe360Saf.exe

pid	Process
4232	1.exe
4232	1.exe
4232	1.exe
4232	1.exe
4232	1.exe
4232	1.exe
4964	360Saf.exe
4964	360Saf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

koori.exe1.exe

description	pid	Process
Token: SeDebugPrivilege	3348	koori.exe
Token: SeDebugPrivilege	4232	1.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

koori.exe1.exe

description	pid	Process	procid_target
PID 3348 wrote to memory of 4232	3348	koori.exe	101
PID 3348 wrote to memory of 4232	3348	koori.exe	101
PID 3348 wrote to memory of 4232	3348	koori.exe	101
PID 4232 wrote to memory of 2796	4232	1.exe	100
PID 4232 wrote to memory of 2796	4232	1.exe	100
PID 4232 wrote to memory of 2796	4232	1.exe	100
PID 3348 wrote to memory of 4964	3348	koori.exe	105
PID 3348 wrote to memory of 4964	3348	koori.exe	105
PID 3348 wrote to memory of 4964	3348	koori.exe	105

C:\Users\Admin\AppData\Local\Temp\koori.exe
"C:\Users\Admin\AppData\Local\Temp\koori.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Users\Public\Downloads\1.exe
  "C:\Users\Public\Downloads\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4232
- C:\Users\Public\Downloads\360Saf.exe
  "C:\Users\Public\Downloads\360Saf.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4964

C:\Users\Public\Downloads\tgp_daemon.exe.exe
"C:\Users\Public\Downloads\tgp_daemon.exe.exe"
1⤵
- Executes dropped EXE
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Downloads\1.exe

Filesize
10KB

MD5
e2653142160ea22eaa31961f452b8336

SHA1
53e9993bc6a3220d1aa8a6bdb1aebc73c7fa864f

SHA256
f7df2743f68bf9d181b4ee06927328b90420934b1ce9782e1953ac0cea84166e

SHA512
0f3b31a4cfbc6ea064c086fd92ad4402f69dece9ecc77cc207224d57bd3c13c910adfebf400b05a8180b1f1ae261769f8e2cc0d3df9072a10f147e4dc842b6ce

Download Submit
C:\Users\Public\Downloads\360Saf.exe

Filesize
190KB

MD5
d1c886641138c87536466581159ae54a

SHA1
aa0d8d8dbcb76049d20f2c321244309d218e57ce

SHA256
a7ae3ea7120fa0c8a583366953684115b54cb44a1729b5aa465bfcaf3e9d68b2

SHA512
b94d933d598be50c680fdb30bcb7f06b7e9ab5f9941f10d28c33c4a194e3c3d78e67aac55d0fe43356b90b813ccc6ab724f3a1d4277bf82ed05b57a466587eee

Download Submit
C:\Users\Public\Downloads\360Saf.exe

Filesize
113KB

MD5
630083ffdf80fecb31be3a5e89a816b5

SHA1
788eb44472c2d3291caf224abc67312bac5b1dd0

SHA256
6d32f6b90a98d145d1cca5a90026369b49cf627c509ad435c341e094ae79c128

SHA512
f1faf9acfe9dc52e531e303a798d014e68f7d0a8ea9f97afdf9e56cec1147b3db307d0f1dccb71d8adfe12610f01cc279c459a7c8b500f261c7e2cf7c1803162

Download Submit
C:\Users\Public\Downloads\360Saf.exe

Filesize
139KB

MD5
b6f9ef09b66220c857d54724cb22411e

SHA1
687a42ff6821424bfa0d57bb3f8f61f7e8bd4f80

SHA256
7499ff826d8b038023484ce300b3907080784f0d3c9a7b70188a28467ac354c9

SHA512
d309f4fd5c982a834d57a9bfa6ca5bffbf8eda3699de73107f76207e4437ebdd3d197533b65ffd74929a6afa05dd47e76a4869ed08c2404b495ad33d94048163

Download Submit
C:\Users\Public\Downloads\shellcode.bin

Filesize
44KB

MD5
6231486402ab8ac44befb1abc4bc7e29

SHA1
59c706ebb24dfa7dae5fdcfb1dc571e5e2be058b

SHA256
81787256c2a4b058ad305c617805d77ba1fb99ed650bc3bf0936efb7a825c711

SHA512
88191649eddee49642f949fcbb291af55932cf7d6d70a943ff39c2bed4628cf09b64362f95ef13b32196d98ecab3022b8f1ba02942c69d34ebfbeca7f6eb5358

Download Submit
C:\Users\Public\Downloads\tgp_daemon.exe.exe

Filesize
712KB

MD5
feecd18e3904a7b90b4c26a64f4b430e

SHA1
c95b1575ae622e240ce06b1981e722a344ec9e6b

SHA256
e16f3d8236ad2ec4370c2737b205feb56158c635b6ebdb59a7018fc806ecd3fb

SHA512
7b9ed433999e50ef16e45953e514dca0f982f9e399f80f1b4cd9b3eb6a69db47f0fed88c4bb43ecd54e6072cfe3374b7517c16437630087d1b1831a9477f14a8

Download Submit
memory/3348-0-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/3348-2-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3348-1-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3348-35-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3348-23-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3348-24-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/4232-16-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/4232-22-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4232-20-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4232-17-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4964-36-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4964-39-0x0000000002410000-0x0000000002426000-memory.dmp

Filesize
88KB

Download
memory/4964-41-0x00000000003C0000-0x00000000004BD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads