gh0strat | 397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871

General

Target

397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
Size

2.8MB
MD5

ea1d39b5b1668b213adc1f96c5a89330
SHA1

75691fee5bde2a44317d453a5c49f58806d5752d
SHA256

397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871
SHA512

881a2341c1bfdac9061984c686f58862939a5c434db38999acae23aa88250ed3ce8feb7dcb3ccfb1ca78fa00f34e89361383f1cbfa6f15a17736520032b7e3b1
SSDEEP

49152:JYREXSVMDi3GhOtB7eU5DHMp7iruyJHVoBU/K2xG2aQktN8:22SVMD8PBaU5rnJ6U/KTH78

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023408-5.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240596234.bat"	look2.exe

Executes dropped EXE 3 IoCs

pid	Process
1704	look2.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
1052	svchcst.exe

Loads dropped DLL 8 IoCs

pid	Process
1704	look2.exe
3588	svchost.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
1052	svchcst.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240596234.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\SkinH_EL.dll	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
364	HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1704	2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe	84
PID 2672 wrote to memory of 1704	2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe	84
PID 2672 wrote to memory of 1704	2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe	84
PID 2672 wrote to memory of 364	2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe	87
PID 2672 wrote to memory of 364	2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe	87
PID 2672 wrote to memory of 364	2672	397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe	87
PID 3588 wrote to memory of 1052	3588	svchost.exe	97
PID 3588 wrote to memory of 1052	3588	svchost.exe	97
PID 3588 wrote to memory of 1052	3588	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
"C:\Users\Admin\AppData\Local\Temp\397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1704
- C:\Users\Admin\AppData\Local\Temp\HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
  C:\Users\Admin\AppData\Local\Temp\HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:3812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240596234.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
638e737b2293cf7b1f14c0b4fb1f3289

SHA1
f8e2223348433b992a8c42c4a7a9fb4b5c1158bc

SHA256
baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b

SHA512
4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
d54753e7fc3ea03aec0181447969c0e8

SHA1
824e7007b6569ae36f174c146ae1b7242f98f734

SHA256
192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9

SHA512
c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_397524a02ed516104fc739373215619294125281c49fe47f1dab68811b4cb871.exe

Filesize
1.6MB

MD5
7afcef755cbfd8d9705a79c5762b82e8

SHA1
1b5b4543e3fd2fb486c3ac8f84177baf0ed0a773

SHA256
69bd6e8c1668ab77cc294a77b8d9b972029c32d3e11857fccdfc87b6d3f20b95

SHA512
e6ce58fb477e488b99d50415c4fb477e067922a5dc33b8411bd53cc30c72cbc76fe74f7039562b6f8c4d76f668888fb9aa8fb0eaef0dcdb378b31c1307f3ee4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
9ea235de82952d8b777b438f360db933

SHA1
3a687406b1beac7e55876f32b04f058b6ff0099c

SHA256
84fa5274a32b0cf9d8336294b57ae563dcaeb9eb350046facf40037e74aa9cdc

SHA512
ddb2b0bf71eaa7521e295b452edb8d7ff117d6da26c7346f51fa1cc80ba9443c9de90296c72981f2fce3bfff2357ab3e50af780b5ca8e4836852502d69b2f321

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240596234.bat

Filesize
51KB

MD5
d3f0ed398ada5cc94d65d3f933a5e750

SHA1
772b906ffa6b1d8438b87693d8a0cdf749463634

SHA256
065e3a54b051df84a72831655454aeff471c0db19c76d539e164b85a1a4b8753

SHA512
9de505f9cf7916035698eb104472f8a63149fa7d344feb8c5410a4d10d3d5f6a05450f1e54563894c4ee2257fd7bacc8a3b98b9e458d3648795fbfd53f30add9

Download Submit
C:\Windows\SysWOW64\SkinH_EL.dll

Filesize
688KB

MD5
bd42ef63fc0f79fdaaeca95d62a96bbb

SHA1
97ca8ccb0e6f7ffeb05dc441b2427feb0b634033

SHA256
573cf4e4dfa8fe51fc8b80b79cd626cb861260d26b6e4f627841e11b4dce2f48

SHA512
431b5487003add16865538de428bf518046ee97ab6423d88f92cda4ff263f971c0cf3827049465b9288a219cc32698fd687939c7c648870dd7d8d6776735c93c

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/364-21-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/364-27-0x0000000002130000-0x0000000002141000-memory.dmp

Filesize
68KB

Download
memory/364-35-0x0000000002790000-0x000000000283F000-memory.dmp

Filesize
700KB

Download
memory/364-55-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads