gh0strat | a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e

General

Target

a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe
Size

1.2MB
MD5

95cedef4b8492769934502aa8347d4f8
SHA1

ed871d8bac626be91f9bab49745e6be458b9b2f7
SHA256

a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e
SHA512

c5040b8f24fb12ca1e52a0ec4255857e455db4dff6c212ae470846c13abe33c6472515466e7f051567d487916aabe30f3188d6632aa4f380f47a4e8cf76a88c5
SSDEEP

24576:TEdksIGN71VVbzYEL+5dNmZG8RRl9T7tmMKTM6I9B7:TEywVVvUji3TsMKTM6Y7

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259394718.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GLk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\259394718.bat"	GLk.exe

Executes dropped EXE 2 IoCs

Processes:

GLk.exesvchist.exe

pid process

2376 GLk.exe
2160 svchist.exe
Loads dropped DLL 5 IoCs

Processes:

a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exeGLk.exesvchost.exesvchist.exe

pid process

2316 a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe
2376 GLk.exe
2384 svchost.exe
2384 svchost.exe
2160 svchist.exe

pid	process
2376	GLk.exe
2160	svchist.exe

Drops file in System32 directory 4 IoCs

Processes:

GLk.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\259394718.bat	GLk.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	GLk.exe
File created	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchist.exe	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe

pid	process
2316	a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe
2316	a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exesvchost.exe

description	pid	process	target process
PID 2316 wrote to memory of 2376	2316	a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe	GLk.exe
PID 2316 wrote to memory of 2376	2316	a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe	GLk.exe
PID 2316 wrote to memory of 2376	2316	a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe	GLk.exe
PID 2316 wrote to memory of 2376	2316	a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe	GLk.exe
PID 2384 wrote to memory of 2160	2384	svchost.exe	svchist.exe
PID 2384 wrote to memory of 2160	2384	svchost.exe	svchist.exe
PID 2384 wrote to memory of 2160	2384	svchost.exe	svchist.exe
PID 2384 wrote to memory of 2160	2384	svchost.exe	svchist.exe

C:\Users\Admin\AppData\Local\Temp\a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe
"C:\Users\Admin\AppData\Local\Temp\a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\GLk.exe
C:\Users\Admin\AppData\Local\Temp\\GLk.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
PID:2968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\svchist.exe
C:\Windows\system32\svchist.exe "c:\windows\system32\259394718.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.2MB

MD5
95cedef4b8492769934502aa8347d4f8

SHA1
ed871d8bac626be91f9bab49745e6be458b9b2f7

SHA256
a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e

SHA512
c5040b8f24fb12ca1e52a0ec4255857e455db4dff6c212ae470846c13abe33c6472515466e7f051567d487916aabe30f3188d6632aa4f380f47a4e8cf76a88c5

Download Submit
\Users\Admin\AppData\Local\Temp\GLk.exe
Filesize
337KB

MD5
b8e58a96761799f4ad0548dba39d650c

SHA1
c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f

SHA256
334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df

SHA512
1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

Download Submit
\Windows\SysWOW64\259394718.bat
Filesize
51KB

MD5
95dc3f17fb66a45e504e8db1d69cf99c

SHA1
5a450b29134937b6fb45a59c5481b4c9b82e0950

SHA256
477a382a28ab1b53d6132bb75afafc9879ef24d8ca7aa5672a193dd435b84d83

SHA512
2eba18e4c73420c3325c854e24fa5e5fec151babc9c5ad288454c73adc3f5aebfaa5e7867af8b6e03473aa08335a4f4803cf3d51f64d7f7884f0baac1fef3346

Download Submit
\Windows\SysWOW64\svchist.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads