gh0strat | 38793cdce198f9972b28a4c2e1d1f909ae9b0ef93417ff54ab729db329733027

General

Target

tmp.exe
Size

2.5MB
MD5

945d2c9d9eeb48366f3f29f1038ec995
SHA1

0997d0b535248bb80a0c127cab8b9dd9c3bceec3
SHA256

38793cdce198f9972b28a4c2e1d1f909ae9b0ef93417ff54ab729db329733027
SHA512

751686c17e6c35f02c11074553974914b5afb661fd3ffd83aed6d8882d9fb6d9ccc12b34b03e39edaedb5054074f7e3bf4094b7510c5d4071e57ea123dc0fbab
SSDEEP

24576:ynsJ39LyjbJkQFMhmC+6GD9hYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnPyzwOe+atyC:ynsHyjtk2MYC5GDrYREXSVMDi3XR+qf

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral2/memory/3280-202-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/3280-204-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/3280-201-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/3280-200-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/2996-235-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/2996-239-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/2996-237-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral2/memory/2996-234-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240602375.bat"	look2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240601500.bat"	look2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 8 IoCs

pid	Process
4112	._cache_tmp.exe
2000	look2.exe
984	Synaptics.exe
3280	HD_._cache_tmp.exe
4352	._cache_Synaptics.exe
828	look2.exe
2996	HD_._cache_Synaptics.exe
4912	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
2000	look2.exe
3996	svchost.exe
828	look2.exe
4912	svchcst.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXXEB285D75 = "C:\\Windows\\XXXXXXEB285D75\\svchsot.exe"	HD_._cache_tmp.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\240601500.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\240602375.bat	look2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	._cache_tmp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\XXXXXXEB285D75\svchsot.exe	HD_._cache_tmp.exe
File opened for modification	C:\Windows\XXXXXXEB285D75\svchsot.exe	HD_._cache_tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4112	._cache_tmp.exe
4112	._cache_tmp.exe
3280	HD_._cache_tmp.exe
3280	HD_._cache_tmp.exe
3280	HD_._cache_tmp.exe
3280	HD_._cache_tmp.exe
3280	HD_._cache_tmp.exe
3280	HD_._cache_tmp.exe
4352	._cache_Synaptics.exe
4352	._cache_Synaptics.exe
2996	HD_._cache_Synaptics.exe
2996	HD_._cache_Synaptics.exe
2996	HD_._cache_Synaptics.exe
2996	HD_._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4112	._cache_tmp.exe
4112	._cache_tmp.exe
4352	._cache_Synaptics.exe
4352	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 4112	4164	tmp.exe	90
PID 4164 wrote to memory of 4112	4164	tmp.exe	90
PID 4164 wrote to memory of 4112	4164	tmp.exe	90
PID 4112 wrote to memory of 2000	4112	._cache_tmp.exe	101
PID 4112 wrote to memory of 2000	4112	._cache_tmp.exe	101
PID 4112 wrote to memory of 2000	4112	._cache_tmp.exe	101
PID 4164 wrote to memory of 984	4164	tmp.exe	100
PID 4164 wrote to memory of 984	4164	tmp.exe	100
PID 4164 wrote to memory of 984	4164	tmp.exe	100
PID 4112 wrote to memory of 3280	4112	._cache_tmp.exe	96
PID 4112 wrote to memory of 3280	4112	._cache_tmp.exe	96
PID 4112 wrote to memory of 3280	4112	._cache_tmp.exe	96
PID 984 wrote to memory of 4352	984	Synaptics.exe	93
PID 984 wrote to memory of 4352	984	Synaptics.exe	93
PID 984 wrote to memory of 4352	984	Synaptics.exe	93
PID 4352 wrote to memory of 828	4352	._cache_Synaptics.exe	95
PID 4352 wrote to memory of 828	4352	._cache_Synaptics.exe	95
PID 4352 wrote to memory of 828	4352	._cache_Synaptics.exe	95
PID 4352 wrote to memory of 2996	4352	._cache_Synaptics.exe	94
PID 4352 wrote to memory of 2996	4352	._cache_Synaptics.exe	94
PID 4352 wrote to memory of 2996	4352	._cache_Synaptics.exe	94
PID 3996 wrote to memory of 4912	3996	svchost.exe	104
PID 3996 wrote to memory of 4912	3996	svchost.exe	104
PID 3996 wrote to memory of 4912	3996	svchost.exe	104

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe
    C:\Users\Admin\AppData\Local\Temp\HD_._cache_tmp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\look2.exe
    C:\Users\Admin\AppData\Local\Temp\\look2.exe
    3⤵
    - Sets DLL path for service in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2000
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe
  C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:828

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240601500.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
381KB

MD5
1c69ce97a9cd22c9dafe3bcf2dd91649

SHA1
d7f69624827996ab4195bb712b64596f2766f1b9

SHA256
1f9c906b61dab4e21f7939084053ef1b3f1862405d8b6e0a2f7165994095f690

SHA512
06a9495a69c0a05e7d741f686acb72cf6d15db9075a17b64f78e141a7e46c71b7d12710192ac543b3c943773e7727a5d04191a33ffc14142b4219cfad5e64305

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
237KB

MD5
b91ad1410638900ffa014b1e0c52be81

SHA1
c6f82e224606188e88ec4a7d4bece0fe2a6a0419

SHA256
e37477ed4eedfb3c01e4a7fd454342bc45382945afc68991be4a88229f08620f

SHA512
da48d9aae9c881ecca14210dc0a347e2089e1c7dbf85d985bba2f6d6d91fe34bf9250b192ce81c5038f0d26e3507f4a7172fc1aedbb2c6d124aedad6dc44186f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
1.4MB

MD5
0bc9a91d06468ebaf0221fa4d689344a

SHA1
29aea8f607b0e5b74d6a01a0b316ef65f892c52a

SHA256
64941461adfc0a3f2c4cda9d52c3ec4fa24d5c2d7a74e5a101d33517103ab74c

SHA512
59038e153631aaa6d44cb08a79c7e1df7e7c4061fffefaf88b4ef7dc67417967ac46cf653c5b68e1fbe70e57266c1902598e3e000baff06c867b2fd20715df55

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe

Filesize
1.4MB

MD5
51319467c85b5c80b87756cffddbbf8b

SHA1
4545cb2ce80def86895cf24f5a1fdb19111e97c1

SHA256
5fdb4701555607d3b2f300fd2cd17c7dd942897e0dfe5b0db7032ae8b8df9a75

SHA512
477621ef9ab07b23c3018287626df11e07173422d8684f5949319b4f025b513d6a0b30d1f4f945135f444418ea88fbb2bed902da768948e7b314ef7fcf4870cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
memory/984-286-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/984-270-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/984-264-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/984-262-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/984-145-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2996-237-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2996-236-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2996-234-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2996-239-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2996-235-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3280-200-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3280-201-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3280-204-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3280-265-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3280-202-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/3280-180-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/4164-0-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4164-135-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads