gh0strat | fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442

General

Target

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
Size

8.0MB
MD5

bdd07d338718da10d4e222758e4cc43b
SHA1

0feb2937bce4b869ca8e45eb8057fd5e1f4d78ab
SHA256

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442
SHA512

9e4af92c220c66974a99ad423bf590946908fa7f80fccaa1fdb294ccf017389bab9be9173ad7a7ef217cfd253ff98c55fcc1a329ac00200f020a61208fd6e266
SSDEEP

98304:22SVMK8dWro2mCHer41qIJVUR0LRn2ufOFL//bHAKYmg77UQ1mfa/ews4VOp9mD:2254wIY0LRnHfq37g7oQcfa/ewsWOpsD

Score

10^/10

gh0strat discovery persistence rat spyware stealer

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259396013.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259396013.bat"	look2.exe

Executes dropped EXE 5 IoCs

Processes:

look2.exeHD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exegeek64.exesvchcst.exe

pid process

2916 look2.exe
2932 HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
2948 geek64.exe
1204
2204 svchcst.exe

pid	process
2916	look2.exe
2932	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
2948	geek64.exe
1204
2204	svchcst.exe

Loads dropped DLL 7 IoCs

Processes:

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exelook2.exesvchost.exeHD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exesvchcst.exe

pid	process
1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
2916	look2.exe
2660	svchost.exe
1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
2932	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
2660	svchost.exe
2204	svchcst.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\259396013.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

Drops file in Windows directory 2 IoCs

Processes:

geek64.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	geek64.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST	geek64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

pid process

1772 fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exeHD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exegeek64.exe

pid	process
1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
2932	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
2948	geek64.exe
2948	geek64.exe
2948	geek64.exe
2948	geek64.exe
2948	geek64.exe
2948	geek64.exe
2948	geek64.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exeHD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exesvchost.exe

description	pid	process	target process
PID 1772 wrote to memory of 2916	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	look2.exe
PID 1772 wrote to memory of 2916	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	look2.exe
PID 1772 wrote to memory of 2916	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	look2.exe
PID 1772 wrote to memory of 2916	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	look2.exe
PID 1772 wrote to memory of 2932	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 1772 wrote to memory of 2932	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 1772 wrote to memory of 2932	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 1772 wrote to memory of 2932	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 1772 wrote to memory of 2932	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 1772 wrote to memory of 2932	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 1772 wrote to memory of 2932	1772	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 2932 wrote to memory of 2948	2932	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	geek64.exe
PID 2932 wrote to memory of 2948	2932	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	geek64.exe
PID 2932 wrote to memory of 2948	2932	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	geek64.exe
PID 2932 wrote to memory of 2948	2932	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	geek64.exe
PID 2660 wrote to memory of 2204	2660	svchost.exe	svchcst.exe
PID 2660 wrote to memory of 2204	2660	svchost.exe	svchcst.exe
PID 2660 wrote to memory of 2204	2660	svchost.exe	svchcst.exe
PID 2660 wrote to memory of 2204	2660	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
"C:\Users\Admin\AppData\Local\Temp\fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2916

C:\Users\Admin\AppData\Local\Temp\HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
C:\Users\Admin\AppData\Local\Temp\HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\geek64.exe
C:\Users\Admin\AppData\Local\Temp\geek64.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2652

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\259396013.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.3MB

MD5
490eb76d3a90143603d0a95937b7acc4

SHA1
398c3b941d16414021c7be55893b5b91036f9ed0

SHA256
c404349c9e851b0b78b1cc379014ccecc1e5e0fcfb261ef71306a830789556f6

SHA512
b65ce4380059a103ba5ccfdf61f67769ea45dfc6faceff0d7951c13f968ee172e24a0cae625da368577e29da74ae474ac9f1a19c4295041d2fc37841532e5a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\geek64.exe

Filesize
3.7MB

MD5
c84a3c776bf83d55f901288db3b8b8a0

SHA1
515df2a9fb35beef25d070b688d692646f0a1c8f

SHA256
b8d968872fe7ed8de7eeb89ff6e1ce2029521f7c744c088ae2c4807b396d28ae

SHA512
e471e4ffa1511b5239474577eda92ccb98918eb1633284af20ed80a3cd8366dc4b3ecbe2482b9325e6c543b1acf07731973290265b0ac3c94ea6c436b12e9064

Download Submit
\Users\Admin\AppData\Local\Temp\HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

Filesize
6.7MB

MD5
ef78997488e6121971404a3f25686fee

SHA1
53a260990106e5271cb525f87be008e299beaa85

SHA256
d96df1051e62aa40baefd51235be45f8038745582a5d3428b63123fd2ced60db

SHA512
8a021950ae41a76659cacdba57d4a090b839dc9a39866b1ca3b6efc533d2542cdb40dbf5004c58d1793329a60126052d7372b0b3d4e9165cfa48938f0e77e573

Download Submit
\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
fb66e1e31fa1e6dfb21a50ccd11e0409

SHA1
6c45a0a115ec896eb14a531a44809b2a22cf8934

SHA256
5ea8c5455f0ebe884ed98834e78ead8b6c68814bbb1723370299fa44b88c0faa

SHA512
58ee149f70438296a67d5ae5cbd6cb9f5b2510a0381466b8f09eec3835be1ce7cad6903ca8fbc9273105132e85952208e78c59f776416c5449b86cc62111154b

Download Submit
\Windows\SysWOW64\259396013.bat

Filesize
51KB

MD5
07d0e21e6bd82da8011fa0247521c391

SHA1
3e10ab65193b29a9953c597eb6c71e3f3414b037

SHA256
dc42c5fcdbf9022d7f213c59cbc01fc464f1c8459807c7e1e5a5f7277cbdc918

SHA512
35f196f99bd0db1dff3af428c0b93fb563eb826026b23983b774bcf990989f32a35d7368403092abed55650c262ae052d8f1fb19d07cf98a74d9c464c8b31d1d

Download Submit
\Windows\SysWOW64\svchcst.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads