gh0strat | d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b

General

Target

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
Size

1.2MB
MD5

037b5afc971b59a356bfe076734b165b
SHA1

aed4684d046c5fb1687003798ada37618448268c
SHA256

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b
SHA512

6d35f17d0ff1a5522cc4a1c44c302c1bd1b05e0c554a57524fdbd0d097b1eb49b605e125610331034b940e5347f6b6ff378c1dff4f48db96ddfa1910f10b8f52
SSDEEP

24576:iTOgQM/++dshTB9/EkgPY1qOeb+SBpaO5F+pfTZJpqPT/qL:iBYd9/jmnJqO5FeDQPG

Score

10^/10

gh0strat rat vmprotect

Malware Config

Extracted

Family

gh0strat

C2

43.248.139.181

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2936-1-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral1/memory/2008-13-0x0000000000400000-0x000000000053A000-memory.dmp	family_gh0strat
behavioral1/memory/1916-17-0x0000000000400000-0x000000000053A000-memory.dmp	family_gh0strat
behavioral1/memory/2936-18-0x0000000000400000-0x000000000053A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 2 IoCs

Processes:

Kqysceu.exeKqysceu.exe

pid process

2008 Kqysceu.exe
1916 Kqysceu.exe

pid	process
2008	Kqysceu.exe
1916	Kqysceu.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000400000-0x000000000053A000-memory.dmp	vmprotect
C:\Program Files (x86)\Kqysceu.exe	vmprotect
behavioral1/memory/2008-13-0x0000000000400000-0x000000000053A000-memory.dmp	vmprotect
behavioral1/memory/1916-17-0x0000000000400000-0x000000000053A000-memory.dmp	vmprotect
behavioral1/memory/2936-18-0x0000000000400000-0x000000000053A000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exeKqysceu.exeKqysceu.exe

pid process

2936 d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
2008 Kqysceu.exe
1916 Kqysceu.exe

Drops file in Program Files directory 2 IoCs

Processes:

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

description	ioc	process
File created	C:\Program Files (x86)\Kqysceu.exe	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
File opened for modification	C:\Program Files (x86)\Kqysceu.exe	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exeKqysceu.exeKqysceu.exe

pid	process
2936	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
2936	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
2936	d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
2008	Kqysceu.exe
2008	Kqysceu.exe
2008	Kqysceu.exe
1916	Kqysceu.exe
1916	Kqysceu.exe
1916	Kqysceu.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

pid process

2936 d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Kqysceu.exe

description	pid	process	target process
PID 2008 wrote to memory of 1916	2008	Kqysceu.exe	Kqysceu.exe
PID 2008 wrote to memory of 1916	2008	Kqysceu.exe	Kqysceu.exe
PID 2008 wrote to memory of 1916	2008	Kqysceu.exe	Kqysceu.exe
PID 2008 wrote to memory of 1916	2008	Kqysceu.exe	Kqysceu.exe

C:\Users\Admin\AppData\Local\Temp\d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe
"C:\Users\Admin\AppData\Local\Temp\d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2936

C:\Program Files (x86)\Kqysceu.exe
"C:\Program Files (x86)\Kqysceu.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\Kqysceu.exe
"C:\Program Files (x86)\Kqysceu.exe" Win7
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kqysceu.exe

Filesize
1.2MB

MD5
037b5afc971b59a356bfe076734b165b

SHA1
aed4684d046c5fb1687003798ada37618448268c

SHA256
d61fea7347d18ea1460d17f8b90cb089ea9982f25e3625872574fca8e8f72d6b

SHA512
6d35f17d0ff1a5522cc4a1c44c302c1bd1b05e0c554a57524fdbd0d097b1eb49b605e125610331034b940e5347f6b6ff378c1dff4f48db96ddfa1910f10b8f52

Download Submit
memory/1916-17-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2008-13-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2936-0-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2936-1-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2936-18-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads