gh0strat | 68a5375b61bf9a4fd4ff8d4f1ae13073391f60289f2efe8d83b297924b643ecd

General

Target

2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
Size

9.5MB
MD5

2e6c2043d52211dde035bcde1a74a4d6
SHA1

e71ea4d436c789af01c5416c2e1815bcdf717998
SHA256

68a5375b61bf9a4fd4ff8d4f1ae13073391f60289f2efe8d83b297924b643ecd
SHA512

686ac6211a439a8a4dde3424a48dde1c0b5ee728cd478c9dc64d935ccbc614e336c1ec8d9709e900e407f6da6d3fa7265859cdf94b7e50c91e3d40c760daefa3
SSDEEP

24576:sHnmlJblvSdFP8THlhqe1khlqT6vpAj0qzswz5BJ:2mHz0TqevpGawzx

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral2/memory/2832-9-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/2832-11-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/2832-10-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/2832-13-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/2932-36-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/2932-39-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/4292-52-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/4292-55-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/4292-56-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/4292-57-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Detects Windows executables referencing non-Windows User-Agents 8 IoCs

resource	yara_rule
behavioral2/memory/2832-9-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2832-11-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2832-13-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2932-39-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4292-52-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4292-55-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4292-56-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4292-57-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables built or packed with MPress PE compressor 6 IoCs

resource	yara_rule
behavioral2/memory/2832-1-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2832-3-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2832-5-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2832-25-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2932-45-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4292-58-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 11 IoCs

resource	yara_rule
behavioral2/memory/2832-6-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/2832-9-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/2832-11-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/2832-10-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/2832-13-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/2932-36-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/2932-39-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/4292-52-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/4292-55-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/4292-56-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/4292-57-0x0000000010000000-0x0000000010362000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe

Deletes itself 1 IoCs

pid	Process
4292	SQLservras.exe

Executes dropped EXE 4 IoCs

pid	Process
4232	SQLservras.exe
2932	SQLservras.exe
1092	SQLservras.exe
4292	SQLservras.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2832-6-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/2832-9-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/2832-11-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/2832-10-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/2832-13-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/2932-36-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/2932-39-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/4292-52-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/4292-55-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/4292-56-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/4292-57-0x0000000010000000-0x0000000010362000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	SQLservras.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	SQLservras.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	SQLservras.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	SQLservras.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3744 set thread context of 2832	3744	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	86
PID 4232 set thread context of 2932	4232	SQLservras.exe	91
PID 1092 set thread context of 4292	1092	SQLservras.exe	94

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SQLservras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SQLservras.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SQLservras.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
Token: SeDebugPrivilege	2932	SQLservras.exe
Token: SeDebugPrivilege	4292	SQLservras.exe
Token: SeDebugPrivilege	4292	SQLservras.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2832	3744	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	86
PID 3744 wrote to memory of 2832	3744	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	86
PID 3744 wrote to memory of 2832	3744	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	86
PID 3744 wrote to memory of 2832	3744	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	86
PID 3744 wrote to memory of 2832	3744	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	86
PID 2832 wrote to memory of 4232	2832	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	87
PID 2832 wrote to memory of 4232	2832	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	87
PID 2832 wrote to memory of 4232	2832	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	87
PID 4232 wrote to memory of 2932	4232	SQLservras.exe	91
PID 4232 wrote to memory of 2932	4232	SQLservras.exe	91
PID 4232 wrote to memory of 2932	4232	SQLservras.exe	91
PID 4232 wrote to memory of 2932	4232	SQLservras.exe	91
PID 4232 wrote to memory of 2932	4232	SQLservras.exe	91
PID 1092 wrote to memory of 4292	1092	SQLservras.exe	94
PID 1092 wrote to memory of 4292	1092	SQLservras.exe	94
PID 1092 wrote to memory of 4292	1092	SQLservras.exe	94
PID 1092 wrote to memory of 4292	1092	SQLservras.exe	94
PID 1092 wrote to memory of 4292	1092	SQLservras.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2932

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
437KB

MD5
22a57cb21c6f4c41cfac53aaf0e51f39

SHA1
03468759b0dc3d933e5d9b74bf43a8279ed5361a

SHA256
62812b73ddd45e3d6ad5f670a1fa4a656f0d569b008c6408d88a684686109457

SHA512
81fd3acc043268350e8f50bbc481219e1db6847a138d28e5a00073adf6ec866fd84dce29816c3d286465502128db9dc169f1f8a5fda1ed0d2540ad76ca39d46c

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
162KB

MD5
8f8c9db30ca253fd406c3337dcbba70a

SHA1
387fc59eadadee010c56ed7ef9dce1fef36c1d13

SHA256
0a99a5e7cb88ad136ff84889d20fcba47a94e753fdf4e08a85dacd9b9a5e5979

SHA512
a7b3c9e7765ad0c2feb03d1607e07b765b23fc28be8b657e1dc1012ea45d7b30ed5e7308c581f24001beaeb7539e040803e6c9f00f72e8093d2f3e0b056d36d3

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
104KB

MD5
c2c282672459d8ca8d591d66cdd8d72b

SHA1
43389b371520ee24ad6118e8fc90e282267f9d1c

SHA256
52073fb48a6a23f78db1cbab9504432b4dea7fced311968881003deceeef0c6a

SHA512
651a12d13c4120feb43c28bc7340628932ce77ecf23def363af5bf2ae8f8b43429aa9713a653cedadc4f3b7a13acd140ae863b8de4832a4835060354c385d1c1

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
630KB

MD5
d194312bd6dad6bd9f59d07d3960a93b

SHA1
45d6517c99510b71b8d9af8fe26d59dab777ab26

SHA256
426501ad18441faa3284f02864d60d7031033e2796d74c628bf573ce3ce18cc4

SHA512
66fd40bcea3088979f4fc1d682e7c47e448ed80f52b7a2dce0d742ebaabe322dc07996f3f25554df9b0c6650f6cb58c2ffbe093298b09ae2b026f13932e83724

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
486KB

MD5
07dbb7dcd47dee2d2ad7c5eb3a39d586

SHA1
ef0f7405f63db673ecb63f7f95205aac3608191d

SHA256
3b447818b08c6ad0ac28624b6dd8924b2bfd80482e4675aeecda7ee312f07170

SHA512
936ca28d8188ad1383d53e53484fcfcc4bd4a01d8c743775b9169cf8f471d978b5e8b6650bb84f2a177327da69ddc2e7eb7c67191428fc4ac5926bc78913d37c

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
36KB

MD5
7cf8d66ebfe8dd081e6ea62d4d7e8650

SHA1
37f3703ebdde987939d094732bec73e507b41eb6

SHA256
068b00c5df982994b67ba601c689bffe12a1430d33bb5192b599b2cb2095d1ea

SHA512
ac537267c5b079a26672fbf5dd7c74013dc3d510578324f4965fa43b03d8d7c05c5ce3f9f7d7992cd37716f272856ab112caa65611e70c89295cabb39496309c

Download Submit
memory/1092-41-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2832-6-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2832-13-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2832-10-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2832-11-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2832-25-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2832-9-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2832-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2832-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2832-1-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2932-39-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2932-36-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2932-45-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3744-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4232-26-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4292-52-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4292-55-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4292-56-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4292-57-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4292-58-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads