gh0strat | 909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1

General

Target

909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
Size

1.3MB
MD5

2de4d3fe5d3e90fe716a4d56681d3321
SHA1

04a6198b735449d00f903a1206057f8e206221e0
SHA256

909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1
SHA512

313d18f89d1580a33feb705fcf4ccfe08817e9155dc8d5299cfbb93a1d2dbffb92a82f74a653e24298c9b62e6875ce56c6e0d1d9571562a61944330460fc9cce
SSDEEP

24576:6YFbkIsaPiXSVnC7Yp9zkNmZG8RRlngyz9TbCyIeVznAX/roDs3X:6YREXSVMDi3lT+ybnO

Score

10^/10

gh0strat persistence rat

Malware Config

Extracted

Family

gh0strat

C2

154.64.60.194

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023218-5.dat	family_gh0strat
behavioral2/memory/5020-25-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral2/memory/5020-19-0x0000000000F70000-0x0000000000F86000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240600593.bat"	look2.exe

Executes dropped EXE 3 IoCs

pid	Process
2680	look2.exe
5020	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
1084	svchcst.exe

Loads dropped DLL 3 IoCs

pid	Process
2680	look2.exe
2724	svchost.exe
1084	svchcst.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\L:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\O:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\S:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\T:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\V:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\Y:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\E:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\G:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\J:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\N:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\W:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\Z:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\B:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\I:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\K:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\M:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\P:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\Q:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\R:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\U:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
File opened (read-only)	\??\X:	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\240600593.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
5020	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
5020	HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 2680	3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe	88
PID 3924 wrote to memory of 2680	3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe	88
PID 3924 wrote to memory of 2680	3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe	88
PID 3924 wrote to memory of 5020	3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe	92
PID 3924 wrote to memory of 5020	3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe	92
PID 3924 wrote to memory of 5020	3924	909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe	92
PID 2724 wrote to memory of 1084	2724	svchost.exe	100
PID 2724 wrote to memory of 1084	2724	svchost.exe	100
PID 2724 wrote to memory of 1084	2724	svchost.exe	100

C:\Users\Admin\AppData\Local\Temp\909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
"C:\Users\Admin\AppData\Local\Temp\909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
  C:\Users\Admin\AppData\Local\Temp\HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:232

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240600593.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_909f062a9bfaccdb28497f626a03dfd6dd3b108b6f42736e11de6dcb073213f1.exe

Filesize
162KB

MD5
52126ec8dc3a91733256098b1add0dae

SHA1
d3719059504f131d48b2639dd1f6a927c53d398c

SHA256
2215b948048544c3e222f3f314680c9fb04de031d61409e64a485477c13b8ae3

SHA512
796f930ceaef621aa99e6328cb34ddc2ac74b21b18c63f309bdef75547e49e057ed2909c3fab80f0dcdb1f9a20ca3b6a79e52d956b2eabf16f3d0df08c7fe784

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.1MB

MD5
22074480311968dd99a9297d682d08bc

SHA1
6c66fd0e7c37f6b23fa552fc24654711197c068f

SHA256
7395ac8859f6da88947f0b0852372e5d594d812b7eafd7e36378da424fdba4c7

SHA512
f28ad793a7cea56cfd44d0eddf3568511c6f40194aec0f88ea5feb293b7f87a8c886a25aa52d29f81e684322a3520c71b64104ab5bb6dc872e54c23a8a494a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240600593.bat

Filesize
51KB

MD5
012ad10a927ad414c13c58e0cff248cd

SHA1
3867fcc2d0c7d4a0ffdca99e89af3e2185263b6d

SHA256
c26ff5df0ce47a163ef04c102e636a75c975be3833624e311b92ac3104c539fc

SHA512
32fd5d733c1138d76954771ce02503077c5e240e46ab8ee3d839180e5fc9f9a0da497665f136fc90a2b516cd3f1371ad0b94c265286a0706fbbca4f6910dc7d0

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/5020-25-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/5020-19-0x0000000000F70000-0x0000000000F86000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads