gh0strat | 62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f

General

Target

62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
Size

2.6MB
MD5

5be0fa6b59e520c054f98283f22cb490
SHA1

edb50c9e08c3af4d4e0bc9c7dfcd74e76917f5bc
SHA256

62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f
SHA512

d557370825de3f9871e101cbcb48044d06408c21e10118fea7d8f187582420af424327780536ec679dea0867728a0b83d4396f869f797706a592a67666bafb1c
SSDEEP

24576:4YFbkIsaPiXSVnC7Yp9zkNmZG8RRlnSyz+IfWlNtDOw5TkrB+Dgmem1qenB:4YREXSVMDi3IRtDBi9+DemcenB

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240614906.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240614906.bat"	look2.exe

Executes dropped EXE 3 IoCs

Processes:

look2.exeHD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exesvchcst.exe

pid process

1404 look2.exe
2068 HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
560 svchcst.exe
Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid process

1404 look2.exe
2040 svchost.exe
560 svchcst.exe

pid	process
1404	look2.exe
2068	HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
560	svchcst.exe

pid	process
1404	look2.exe
2040	svchost.exe
560	svchcst.exe

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\240614906.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1500 2068 WerFault.exe HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe

pid	pid_target	process	target process
1500	2068	WerFault.exe	HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe

pid	process
3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe

pid	process
3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exesvchost.exe

description	pid	process	target process
PID 3248 wrote to memory of 1404	3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe	look2.exe
PID 3248 wrote to memory of 1404	3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe	look2.exe
PID 3248 wrote to memory of 1404	3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe	look2.exe
PID 3248 wrote to memory of 2068	3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe	HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
PID 3248 wrote to memory of 2068	3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe	HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
PID 3248 wrote to memory of 2068	3248	62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe	HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
PID 2040 wrote to memory of 560	2040	svchost.exe	svchcst.exe
PID 2040 wrote to memory of 560	2040	svchost.exe	svchcst.exe
PID 2040 wrote to memory of 560	2040	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
"C:\Users\Admin\AppData\Local\Temp\62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1404

C:\Users\Admin\AppData\Local\Temp\HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
C:\Users\Admin\AppData\Local\Temp\HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
2⤵
- Executes dropped EXE
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 460
3⤵
- Program crash
PID:1500

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:4968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240614906.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2068 -ip 2068
1⤵
PID:3336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_62c838f5e7cab9c3418ca55b908734ef6c673a3f0f3d7da0584f9215144ba15f.exe
Filesize
1.1MB

MD5
ccac58c65e9c6e41b3ff3cfb9c0076a1

SHA1
57993bb5ff5e8eeb07c638fe007211bd48085bd5

SHA256
b54023b8f7f6cc79eab4040098984fe2a935e1d2dea37c11bc7649d0cb6b2aba

SHA512
005c78aa229b25b2e185afac8d52c3a78b08f5b3648c75fbf9c2a31260ff08c9dcdb3e2d2a408c35853c8aa6aedbd83076289373f92a4f5ac5c0dc3d200e0be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.5MB

MD5
b7ca1a1277966b06b4cde552cbce9983

SHA1
f0407ac062a38b29d1b9326da1cd8514583185cd

SHA256
2e855473475e7aeba7bbc29c667ff3a67fa67e48411ef6e2846b2db283763b99

SHA512
4eec3ee0a0471d32d30b96d9c356129e95f46cea7e153e9ea11f43ef5ca1ff34e10213fbcf591ce5833f4b8d0e0f38906ad46754b0bf0b827aec7be312af0c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe
Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240614906.bat
Filesize
51KB

MD5
62ab2e8b7a75ecf6c2ae83d244011cff

SHA1
62d56968e832fed4dc848ff8ead9d1acfb06e6ba

SHA256
af1ede25d69ea31fd17d42fbdd79fc3f4d8242017cc87a29c2ef7e641a982600

SHA512
f21f050f44d1b0cb7d8561e07bed6f19a171932f8cbed2ea217de0aae861205ff95d14968253a9a55a28f77c30b4fa9b1bfc9e27e8b7759fb591cf5e6caabc3f

Download Submit
C:\Windows\SysWOW64\svchcst.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads