gh0strat | fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd

General

Target

fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
Size

2.3MB
MD5

8fbf3c62693a58260124b316ff137a3e
SHA1

1b8423d3a36c52d4f6b4cb454463435dca3562a9
SHA256

fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd
SHA512

8c70759972b4a7d56bdb06f67db493b1862a0afbe80c26d9d19e5e6978c56d792c7cec23750ba5ff369e36e5915cce0e0972ea04dcb2f2a51d12af2070c6a150
SSDEEP

24576:KYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnZyzDs6u8ig6TcB+LoqSZQRbw+NAybxJFCS:KYREXSVMDi3riiy+LoqGQRbCIIPMflJ

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240608468.bat	family_gh0strat
behavioral2/memory/1688-19-0x0000000010000000-0x000000001018B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240608468.bat"	look2.exe

Executes dropped EXE 3 IoCs

Processes:

look2.exeHD_fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exesvchcst.exe

pid process

3436 look2.exe
1688 HD_fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
4912 svchcst.exe
Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid process

3436 look2.exe
2092 svchost.exe
4912 svchcst.exe

pid	process
3436	look2.exe
1688	HD_fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
4912	svchcst.exe

pid	process
3436	look2.exe
2092	svchost.exe
4912	svchcst.exe

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\240608468.bat	look2.exe

Drops file in Program Files directory 1 IoCs

Processes:

fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe

pid	process
4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe

pid	process
4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exesvchost.exe

description	pid	process	target process
PID 4764 wrote to memory of 3436	4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe	look2.exe
PID 4764 wrote to memory of 3436	4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe	look2.exe
PID 4764 wrote to memory of 3436	4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe	look2.exe
PID 4764 wrote to memory of 1688	4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe	HD_fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
PID 4764 wrote to memory of 1688	4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe	HD_fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
PID 4764 wrote to memory of 1688	4764	fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe	HD_fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
PID 2092 wrote to memory of 4912	2092	svchost.exe	svchcst.exe
PID 2092 wrote to memory of 4912	2092	svchost.exe	svchcst.exe
PID 2092 wrote to memory of 4912	2092	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
"C:\Users\Admin\AppData\Local\Temp\fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3436
- C:\Users\Admin\AppData\Local\Temp\HD_fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
  C:\Users\Admin\AppData\Local\Temp\HD_fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe
  2⤵
  - Executes dropped EXE
  PID:1688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:1464

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240608468.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
4b31efcd2cce6027d87a3f73b30e7721

SHA1
2432dcf9d29de395516167f5a75e191526c3114c

SHA256
ef800b21bfb319046dc20ecc8d23aa610790a787baabb596235f276bec5c681f

SHA512
59cbbd4f95c86b50b6a75492a869e023bc38c0e3d7f9e8bf8076236b8c05686fbcb791b1713dbdb3c42af277eb5844cd0a86ab44fdccbbf27a90f59c503c127e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_fabd0e387a5691143ed5bb67cc20b2c54707643e3bef55449e84de7451ecabdd.exe

Filesize
1.2MB

MD5
55b5473baf939a58e5554dd8c74a0d8c

SHA1
580d1762bfc6fd833776254a5a98c991fe21883d

SHA256
f137147d85b0299bdb1069fc9463fb135064c9a03ce424bd5f09587aa509b17b

SHA512
ebfab407531eaba1068f21b1b5f884528072ce6f04e8ed8a72e21c7651dc2da83796ffbd541d30c2c038c3919683472ae0e15d7eb0e4ca57eef4f63509720604

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240608468.bat

Filesize
51KB

MD5
b30483d08a266354f8259ac3b240dff2

SHA1
45f90b6b6f655b1f823085eae219fd18a878acd9

SHA256
df83dad89c4e1ba2a74d890dc3b5d59cd67e3d2a0875a8a94521b4c53d24d3f1

SHA512
684e3e7bdb25f902a4fe615341b63bd4746ff2169dbb64570d8cecfe8d1d720f424c8d98dbab083efea9fbbaa81e8e1520677b50249b6b8508f1a5cfd6acf8e6

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/1688-19-0x0000000010000000-0x000000001018B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads