gh0strat | d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3

General

Target

d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe
Size

4.5MB
MD5

ad94db8b9653669a24f22586ac01ea47
SHA1

3e3a839b146117c3a7faebc8b32dac52fb190942
SHA256

d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3
SHA512

ebf449294a450c329bb9504e96310d3e8900c18de074e29bdcb19b54d5cc507447a9c4a790400a4a3cd0ef5e6f9a7c6a87e2ecc78813a56fd5256ea4bfb7ec87
SSDEEP

49152:ZYREXSVMDi3nlbXsPNIULkmp1/j6AeXZG7wmpvGF1IP9z5WuHC4O8b8ITDnl27PL:G2SVMD8nlbXsPN5kiQaZ56

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002341e-5.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240597531.bat"	look2.exe

Executes dropped EXE 3 IoCs

pid	Process
3728	look2.exe
876	HD_d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe
692	svchcst.exe

Loads dropped DLL 3 IoCs

pid	Process
3728	look2.exe
4976	svchost.exe
692	svchcst.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\240597531.bat	look2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe
3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe
3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 3728	3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe	83
PID 3800 wrote to memory of 3728	3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe	83
PID 3800 wrote to memory of 3728	3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe	83
PID 3800 wrote to memory of 876	3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe	86
PID 3800 wrote to memory of 876	3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe	86
PID 3800 wrote to memory of 876	3800	d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe	86
PID 4976 wrote to memory of 692	4976	svchost.exe	98
PID 4976 wrote to memory of 692	4976	svchost.exe	98
PID 4976 wrote to memory of 692	4976	svchost.exe	98

C:\Users\Admin\AppData\Local\Temp\d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe
"C:\Users\Admin\AppData\Local\Temp\d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3728
- C:\Users\Admin\AppData\Local\Temp\HD_d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe
  C:\Users\Admin\AppData\Local\Temp\HD_d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe
  2⤵
  - Executes dropped EXE
  PID:876

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:4964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240597531.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.4MB

MD5
d06fa166143d57aa8a42e20efd2e3310

SHA1
a989511d93670277cc6d6331a3afa29a3ad2b6ba

SHA256
42f15ba9f5b89464dfedc7329d3e96edc578776ef5cc58cb31a360db4b0049d1

SHA512
fe93cee9ee16744b672660082a67df83dcb0b1c0cade0a451a143471133aaf64ee426773797c2975af141058108c49f0b6e099227fbcbacd10fd78637f58b2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_d485529711cf35d682223c32065499b86f97474805b0b4bbff4db600c1a985b3.exe

Filesize
3.1MB

MD5
fb083acd60fe5c3156dc25442be815e3

SHA1
61df59b8f3ebd8b3d29ca3aedc4995e23cacf6d8

SHA256
f130b3789962d5c8b59aa250d6f26ad5945928f3905b32bf65aa7bd30348a794

SHA512
7147337d2c1006bb15cfa967c9eea6826b63c8d343f866e7454d7368d25019f39e52cf179500810834244c3ca9644d6c0df0b2c3128a9051e9ee6b428fa926f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240597531.bat

Filesize
51KB

MD5
7029383ab87cb7c039f4b52bbcd844c1

SHA1
1ad227c1613471208a4cbb9e90123d2eb185b332

SHA256
d02656cfa6094ab32ba7f5d3f529a8106d511b4859a8564dadb22ded6b5df48a

SHA512
aa057918c5d2d63552545cbab43e0eb6ad1fc48fc68de2dc945980838311a5de4cc39b18eb1ecd04534ef8ddef1e633d1af5fe9795735040135c401d25d3e17b

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads