gh0strat | c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43

General

Target

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
Size

9.4MB
MD5

94d209ac5cd848317a7639b6a643960c
SHA1

db97abdeda046aee264e9b25072b78a4489a2a8a
SHA256

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43
SHA512

763f5ab1b322c802cf074b2545bb078b61271b26a63d54defc17dca0030ab4d4733951d55ecf107884b0e948d6c5946f39a44201e1763d8891a8e833236aeeae
SSDEEP

196608:c9xvu742tJevE8n2jpeChoKNryRa44hI8:qvqJOnquUB

Score

10^/10

gh0strat oss_ak persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240603312.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

Processes:

resource	yara_rule
behavioral2/memory/2832-46-0x0000000000400000-0x0000000001627000-memory.dmp	detect_ak_stuff

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GLk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\240603312.bat"	GLk.exe

Executes dropped EXE 3 IoCs

Processes:

GLk.exeHD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exesvchist.exe

pid process

2476 GLk.exe
2832 HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2740 svchist.exe
Loads dropped DLL 4 IoCs

Processes:

GLk.exesvchost.exeHD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exesvchist.exe

pid process

2476 GLk.exe
4500 svchost.exe
2832 HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2740 svchist.exe

pid	process
2476	GLk.exe
2832	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2740	svchist.exe

pid	process
2476	GLk.exe
4500	svchost.exe
2832	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2740	svchist.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	upx
behavioral2/memory/2832-19-0x0000000000400000-0x0000000001627000-memory.dmp	upx
behavioral2/memory/2832-26-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/2832-29-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/2832-28-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/2832-27-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/2832-25-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/2832-41-0x0000000010000000-0x00000000105A1000-memory.dmp	upx
behavioral2/memory/2832-46-0x0000000000400000-0x0000000001627000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

GLk.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\240603312.bat	GLk.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	GLk.exe
File created	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchist.exe	svchost.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4992	2832	WerFault.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2660	2832	WerFault.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

pid	process
3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exeHD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

pid	process
3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2832	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2832	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exesvchost.exe

description	pid	process	target process
PID 3700 wrote to memory of 2476	3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	GLk.exe
PID 3700 wrote to memory of 2476	3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	GLk.exe
PID 3700 wrote to memory of 2476	3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	GLk.exe
PID 3700 wrote to memory of 2832	3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
PID 3700 wrote to memory of 2832	3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
PID 3700 wrote to memory of 2832	3700	c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe	HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
PID 4500 wrote to memory of 2740	4500	svchost.exe	svchist.exe
PID 4500 wrote to memory of 2740	4500	svchost.exe	svchist.exe
PID 4500 wrote to memory of 2740	4500	svchost.exe	svchist.exe

C:\Users\Admin\AppData\Local\Temp\c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
"C:\Users\Admin\AppData\Local\Temp\c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\GLk.exe
C:\Users\Admin\AppData\Local\Temp\\GLk.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2476

C:\Users\Admin\AppData\Local\Temp\HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
C:\Users\Admin\AppData\Local\Temp\\HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1000
3⤵
- Program crash
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1020
3⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
PID:2636

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\svchist.exe
C:\Windows\system32\svchist.exe "c:\windows\system32\240603312.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2832 -ip 2832
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2832 -ip 2832
1⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll
Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLk.exe
Filesize
337KB

MD5
b8e58a96761799f4ad0548dba39d650c

SHA1
c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f

SHA256
334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df

SHA512
1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.2MB

MD5
7e77a529093ae4048a9cf756bb7058bd

SHA1
853ebd86d78bb8fbced937bde257634599001e09

SHA256
9d6cc1b56054ee63996263c26c1d75cdd8220c2f4718545cfc9150ee3e216178

SHA512
d26443427d56e859344c4535fa2176649b136063de6324901323732cf68dd5498f2475aeeb94ac40ab78c2d1968d7a763ad5c99d1ebe90090190d4dc9d7d95f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_c51d2a5bd5ee1a58fa3a95c9860aa795ebd264e4ae0a6c173189c1e903876f43.exe
Filesize
8.3MB

MD5
68182c831aecfbcb52540d7f628c8b86

SHA1
6eb46e3ee58f4f5f93a570b051cce0210d37180c

SHA256
83e5dddf72dc7224af106de7d387f5854f20619020abb3f5ac97bd4ac1e760af

SHA512
41c938a00d436edae5afdaa714dfa8f650b960acd48685bc89392b33bbc43a12d57add32eaf66fc7816e8057fb245f1d5db8c6d9e8669ba9f78a8f55a8f0ff86

Download Submit
C:\Windows\SysWOW64\240603312.bat
Filesize
51KB

MD5
a4f95328aca88cd6e446b521bb72dcf9

SHA1
55e6d457f452df8db80a8dcbb94e618cd2d44b1e

SHA256
04449e655aa2249f48a7d05ac37d6ed1d0cd7c249248dd5264a5a266230d2234

SHA512
ad02861af17d3b8de33fef3cf943fdf2c359c713d68fc1b72bf0a367b1f0e430df671f100063629595f7717363ba643ffcc560e65a14680efd078a7a4721ce11

Download Submit
C:\Windows\SysWOW64\svchist.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/2832-19-0x0000000000400000-0x0000000001627000-memory.dmp

Filesize
18.2MB

Download
memory/2832-29-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2832-28-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2832-27-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2832-30-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/2832-25-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2832-26-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2832-41-0x0000000010000000-0x00000000105A1000-memory.dmp

Filesize
5.6MB

Download
memory/2832-46-0x0000000000400000-0x0000000001627000-memory.dmp

Filesize
18.2MB

Download
memory/3700-0-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads