gh0strat | 5d9a69cea0e22d01c1d0fb5dfe020ab01891bf218df26f2548626566ef4499ca

General

Target

8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895.exe
Size

376KB
MD5

6663323f99b20538689fbf9e5c942aec
SHA1

d230dbb2e3730cf040f4af8c9a6ce284dde70fe6
SHA256

5d9a69cea0e22d01c1d0fb5dfe020ab01891bf218df26f2548626566ef4499ca
SHA512

daa661883fb8c5c15bedc8eaf47e9746fd3895184d4b6ef1f739ce82f29427294242b2c76d00d135f3febb64bc253655ddaa6d9947975140c166c96152866027
SSDEEP

6144:aOyLEbWaR5Cclr2Z9JyPJrrrrVmJJJJJJJJJJJJJJ7N:5UaWaR5v1sSXA

Score

10^/10

gh0strat rat

Malware Config

Extracted

Family

gh0strat

C2

81.68.216.37

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1048-0-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
2036	Kcyyqug.exe
2780	Kcyyqug.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	Kcyyqug.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Kcyyqug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Kcyyqug.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kcyyqug.exe	8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895.exe
File opened for modification	C:\Program Files (x86)\Kcyyqug.exe	8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895.exe

Modifies data under HKEY_USERS 25 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Kcyyqug.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Kcyyqug.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Kcyyqug.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kcyyqug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Kcyyqug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Kcyyqug.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Kcyyqug.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Kcyyqug.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Kcyyqug.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Kcyyqug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Kcyyqug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Kcyyqug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Kcyyqug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Kcyyqug.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Kcyyqug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Kcyyqug.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1048	8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895.exe
1048	8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895.exe
2036	Kcyyqug.exe
2036	Kcyyqug.exe
2780	Kcyyqug.exe
2780	Kcyyqug.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2780	2036	Kcyyqug.exe	29
PID 2036 wrote to memory of 2780	2036	Kcyyqug.exe	29
PID 2036 wrote to memory of 2780	2036	Kcyyqug.exe	29
PID 2036 wrote to memory of 2780	2036	Kcyyqug.exe	29

C:\Users\Admin\AppData\Local\Temp\8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895.exe
"C:\Users\Admin\AppData\Local\Temp\8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1048

C:\Program Files (x86)\Kcyyqug.exe
"C:\Program Files (x86)\Kcyyqug.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Program Files (x86)\Kcyyqug.exe
  "C:\Program Files (x86)\Kcyyqug.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kcyyqug.exe

Filesize
376KB

MD5
6663323f99b20538689fbf9e5c942aec

SHA1
d230dbb2e3730cf040f4af8c9a6ce284dde70fe6

SHA256
5d9a69cea0e22d01c1d0fb5dfe020ab01891bf218df26f2548626566ef4499ca

SHA512
daa661883fb8c5c15bedc8eaf47e9746fd3895184d4b6ef1f739ce82f29427294242b2c76d00d135f3febb64bc253655ddaa6d9947975140c166c96152866027

Download Submit
memory/1048-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing