gh0strat | f65275ca49e7d7e2ee1abca59bbde6229ab0a1f60e2203c33a9762eee69a43b7

General

Target

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
Size

48.5MB
MD5

825ed8f58bc6090cbfbbaeccd0d9e439
SHA1

a632f648a46a2c66552ac9a8df26edb89975f6a1
SHA256

f65275ca49e7d7e2ee1abca59bbde6229ab0a1f60e2203c33a9762eee69a43b7
SHA512

1a2a8e7d09a7b2bbb0d230c46e468e9ed936434884316223f42d0420694af1b3d083d86dffb6f68633ed8e9befb079d03d5db41172b312386501392625263bb9
SSDEEP

49152:EmHz0TqevpGawzeHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHK:EWoTbpZwzx

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2948-10-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/2948-9-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/1792-34-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/1792-35-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/1860-48-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/1860-49-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/1860-50-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/1860-51-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Detects Windows executables referencing non-Windows User-Agents 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2948-10-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2948-9-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1792-34-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1792-35-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1860-48-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1860-49-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1860-50-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1860-51-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables built or packed with MPress PE compressor 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2948-1-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2948-4-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2948-5-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2948-3-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2948-22-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1792-30-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1792-42-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1860-52-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2948-6-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/2948-10-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/2948-9-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/1792-34-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/1792-35-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/1792-31-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/1860-45-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/1860-48-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/1860-49-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/1860-50-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral2/memory/1860-51-0x0000000010000000-0x0000000010362000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe

Deletes itself 1 IoCs

Processes:

SQLservras.exe

pid process

1860 SQLservras.exe
Executes dropped EXE 4 IoCs

Processes:

SQLservras.exeSQLservras.exeSQLservras.exeSQLservras.exe

pid process

2328 SQLservras.exe
1792 SQLservras.exe
8 SQLservras.exe
1860 SQLservras.exe

pid	process
1860	SQLservras.exe

pid	process
2328	SQLservras.exe
1792	SQLservras.exe
8	SQLservras.exe
1860	SQLservras.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2948-6-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/2948-10-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/2948-9-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1792-34-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1792-35-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1792-31-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1860-45-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1860-48-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1860-49-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1860-50-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1860-51-0x0000000010000000-0x0000000010362000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

SQLservras.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	SQLservras.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	SQLservras.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	SQLservras.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	SQLservras.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exeSQLservras.exeSQLservras.exe

description	pid	process	target process
PID 636 set thread context of 2948	636	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2328 set thread context of 1792	2328	SQLservras.exe	SQLservras.exe
PID 8 set thread context of 1860	8	SQLservras.exe	SQLservras.exe

Drops file in Program Files directory 2 IoCs

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SQLservras.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SQLservras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SQLservras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SQLservras.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

SQLservras.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SQLservras.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exeSQLservras.exeSQLservras.exe

description	pid	process
Token: SeDebugPrivilege	2948	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
Token: SeDebugPrivilege	1792	SQLservras.exe
Token: SeDebugPrivilege	1860	SQLservras.exe
Token: SeDebugPrivilege	1860	SQLservras.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exeSQLservras.exeSQLservras.exe

description	pid	process	target process
PID 636 wrote to memory of 2948	636	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 636 wrote to memory of 2948	636	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 636 wrote to memory of 2948	636	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 636 wrote to memory of 2948	636	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 636 wrote to memory of 2948	636	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2948 wrote to memory of 2328	2948	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2948 wrote to memory of 2328	2948	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2948 wrote to memory of 2328	2948	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2328 wrote to memory of 1792	2328	SQLservras.exe	SQLservras.exe
PID 2328 wrote to memory of 1792	2328	SQLservras.exe	SQLservras.exe
PID 2328 wrote to memory of 1792	2328	SQLservras.exe	SQLservras.exe
PID 2328 wrote to memory of 1792	2328	SQLservras.exe	SQLservras.exe
PID 2328 wrote to memory of 1792	2328	SQLservras.exe	SQLservras.exe
PID 8 wrote to memory of 1860	8	SQLservras.exe	SQLservras.exe
PID 8 wrote to memory of 1860	8	SQLservras.exe	SQLservras.exe
PID 8 wrote to memory of 1860	8	SQLservras.exe	SQLservras.exe
PID 8 wrote to memory of 1860	8	SQLservras.exe	SQLservras.exe
PID 8 wrote to memory of 1860	8	SQLservras.exe	SQLservras.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2328

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:8

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
48.5MB

MD5
825ed8f58bc6090cbfbbaeccd0d9e439

SHA1
a632f648a46a2c66552ac9a8df26edb89975f6a1

SHA256
f65275ca49e7d7e2ee1abca59bbde6229ab0a1f60e2203c33a9762eee69a43b7

SHA512
1a2a8e7d09a7b2bbb0d230c46e468e9ed936434884316223f42d0420694af1b3d083d86dffb6f68633ed8e9befb079d03d5db41172b312386501392625263bb9

Download Submit
memory/8-37-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/636-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1792-35-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1792-34-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1792-30-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1792-31-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1792-42-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1860-48-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1860-45-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1860-49-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1860-50-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1860-51-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1860-52-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2328-25-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2948-6-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2948-22-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2948-9-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2948-10-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2948-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2948-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2948-4-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2948-1-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads