gh0strat | fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442

General

Target

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
Size

8.0MB
MD5

bdd07d338718da10d4e222758e4cc43b
SHA1

0feb2937bce4b869ca8e45eb8057fd5e1f4d78ab
SHA256

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442
SHA512

9e4af92c220c66974a99ad423bf590946908fa7f80fccaa1fdb294ccf017389bab9be9173ad7a7ef217cfd253ff98c55fcc1a329ac00200f020a61208fd6e266
SSDEEP

98304:22SVMK8dWro2mCHer41qIJVUR0LRn2ufOFL//bHAKYmg77UQ1mfa/ews4VOp9mD:2254wIY0LRnHfq37g7oQcfa/ewsWOpsD

Score

10^/10

gh0strat discovery persistence rat spyware stealer

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240605437.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240605437.bat"	look2.exe

Executes dropped EXE 4 IoCs

Processes:

look2.exeHD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exegeek64.exesvchcst.exe

pid process

756 look2.exe
1392 HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
4012 geek64.exe
2256 svchcst.exe
Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid process

756 look2.exe
372 svchost.exe
2256 svchcst.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
756	look2.exe
1392	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
4012	geek64.exe
2256	svchcst.exe

pid	process
756	look2.exe
372	svchost.exe
2256	svchcst.exe

Drops file in System32 directory 4 IoCs

Processes:

svchost.exelook2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\240605437.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe

Drops file in Program Files directory 1 IoCs

Processes:

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

pid	process
4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exeHD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exegeek64.exe

pid	process
4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
1392	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
4012	geek64.exe
4012	geek64.exe
4012	geek64.exe
4012	geek64.exe
4012	geek64.exe
4012	geek64.exe
4012	geek64.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exeHD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exesvchost.exe

description	pid	process	target process
PID 4452 wrote to memory of 756	4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	look2.exe
PID 4452 wrote to memory of 756	4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	look2.exe
PID 4452 wrote to memory of 756	4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	look2.exe
PID 4452 wrote to memory of 1392	4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 4452 wrote to memory of 1392	4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 4452 wrote to memory of 1392	4452	fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
PID 1392 wrote to memory of 4012	1392	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	geek64.exe
PID 1392 wrote to memory of 4012	1392	HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe	geek64.exe
PID 372 wrote to memory of 2256	372	svchost.exe	svchcst.exe
PID 372 wrote to memory of 2256	372	svchost.exe	svchcst.exe
PID 372 wrote to memory of 2256	372	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
"C:\Users\Admin\AppData\Local\Temp\fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:756

C:\Users\Admin\AppData\Local\Temp\HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
C:\Users\Admin\AppData\Local\Temp\HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\geek64.exe
C:\Users\Admin\AppData\Local\Temp\geek64.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:1408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240605437.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4.5MB

MD5
04e16a5fee24c93ccc696a3dda0c7415

SHA1
8d9a662620ab33dc938883ff9e554f1d20b7d579

SHA256
2ffb8ae00c1566d0abb62b8fb374f76dedf462cdee4c6940c39246c776526afd

SHA512
e220de8a4c94f72d4aef8847de70c80c97c82c00a3e56d3b3ddbb6d1e84e0b35188897e5c584713a3d93fe92b3795a84be6b7a9847404b5874711cd299d7a401

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.3MB

MD5
490eb76d3a90143603d0a95937b7acc4

SHA1
398c3b941d16414021c7be55893b5b91036f9ed0

SHA256
c404349c9e851b0b78b1cc379014ccecc1e5e0fcfb261ef71306a830789556f6

SHA512
b65ce4380059a103ba5ccfdf61f67769ea45dfc6faceff0d7951c13f968ee172e24a0cae625da368577e29da74ae474ac9f1a19c4295041d2fc37841532e5a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_fb7e2bc1584c40e95e9343f8f284fd0583baa7af61087ea598c284276529c442.exe

Filesize
6.7MB

MD5
ef78997488e6121971404a3f25686fee

SHA1
53a260990106e5271cb525f87be008e299beaa85

SHA256
d96df1051e62aa40baefd51235be45f8038745582a5d3428b63123fd2ced60db

SHA512
8a021950ae41a76659cacdba57d4a090b839dc9a39866b1ca3b6efc533d2542cdb40dbf5004c58d1793329a60126052d7372b0b3d4e9165cfa48938f0e77e573

Download Submit
C:\Users\Admin\AppData\Local\Temp\geek64.exe

Filesize
3.7MB

MD5
c84a3c776bf83d55f901288db3b8b8a0

SHA1
515df2a9fb35beef25d070b688d692646f0a1c8f

SHA256
b8d968872fe7ed8de7eeb89ff6e1ce2029521f7c744c088ae2c4807b396d28ae

SHA512
e471e4ffa1511b5239474577eda92ccb98918eb1633284af20ed80a3cd8366dc4b3ecbe2482b9325e6c543b1acf07731973290265b0ac3c94ea6c436b12e9064

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
fb66e1e31fa1e6dfb21a50ccd11e0409

SHA1
6c45a0a115ec896eb14a531a44809b2a22cf8934

SHA256
5ea8c5455f0ebe884ed98834e78ead8b6c68814bbb1723370299fa44b88c0faa

SHA512
58ee149f70438296a67d5ae5cbd6cb9f5b2510a0381466b8f09eec3835be1ce7cad6903ca8fbc9273105132e85952208e78c59f776416c5449b86cc62111154b

Download Submit
C:\Windows\SysWOW64\240605437.bat

Filesize
51KB

MD5
38bf45f940b928f4794d7ab626ebe497

SHA1
499350e0e66a6f093ae0e2abf7745f9814fbf67e

SHA256
331e75d8902954486f699742e1e7d40a6f8b7fb908ff70f2f7db6d03f2a61815

SHA512
1d67f2b64329334a4695f50ec4dbc9c7ad9ebdc52cba0a065ab0a634bad743e6f5dbc135dfc54f67f6ef780f138b965a93236c71e82febcf40461233928f835b

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads