gh0strat | ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46

General

Target

ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
Size

5.3MB
MD5

af3bf54a71a77465cdc754ace508be33
SHA1

2ebc3b7e66939006fa784e9f2ca4ab8b1a4a0812
SHA256

ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46
SHA512

c4ad9d7353daf060ad76b0d76419197e660b7ba12d66926f5c891a1b44f1cbe57fe12e9f88766a61666eecb683d055cb092d473c89734c3f42f71d35d20e6497
SSDEEP

98304:x2SVMD8eoaAR9kdGbNgkz0j0x1pTfGpZ67QjUUZYf1kQ8tmEsgAXOMsP:5JedGeI0spTeZ6K/ZYf1k3IgAeMsP

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023416-5.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240594593.bat"	look2.exe

Executes dropped EXE 3 IoCs

pid	Process
828	look2.exe
4960	HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
4100	svchcst.exe

Loads dropped DLL 4 IoCs

pid	Process
828	look2.exe
3900	svchost.exe
4960	HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
4100	svchcst.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240594593.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
4960	HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
4960	HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
4960	HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
4960	HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
4960	HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 828	2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe	82
PID 2532 wrote to memory of 828	2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe	82
PID 2532 wrote to memory of 828	2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe	82
PID 2532 wrote to memory of 4960	2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe	85
PID 2532 wrote to memory of 4960	2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe	85
PID 2532 wrote to memory of 4960	2532	ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe	85
PID 3900 wrote to memory of 4100	3900	svchost.exe	93
PID 3900 wrote to memory of 4100	3900	svchost.exe	93
PID 3900 wrote to memory of 4100	3900	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
"C:\Users\Admin\AppData\Local\Temp\ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:828
- C:\Users\Admin\AppData\Local\Temp\HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
  C:\Users\Admin\AppData\Local\Temp\HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240594593.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
1081d7eb7a17faedfa588b93fc85365e

SHA1
884e264fa37bfb9e71d24f3f5c7554fdf94a8b9f

SHA256
0351d055cf1e194302ab125cc93208a8c733efb45dc301ca6e7e2a4051f411e0

SHA512
1ff9e7c495b9e005c8d3b56219794c31d804fe1944429e3d4fe013fd8fcb3f51c02b588748c7d9d869fdb115851932e8db4e6792aecd9c83f28237702582ba81

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
bc153625ae25220d9b53d2c8e4e6d6f2

SHA1
01ec6bf68921d206fc3f506f7622719fc703670a

SHA256
5fcfbbe1f6a2e98360bfc7d7f7019f759b8742f9a6b53e50715713c907a7f71e

SHA512
8f1801de1cda66565d7d997e33d612901be51932b9f44548095e871292854d32af149c3e821c1b65445fc78805852c8f630872419fccae1d6864de2aead471e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_ec8c14f707e84420413b729f054d5262c0f74f2a1af90d984bf3d65a45533b46.exe

Filesize
4.0MB

MD5
02bf0428a050883e716730ce0eee12eb

SHA1
4ab20d3ca66a792239bbe69fc4c9df1baeef34f7

SHA256
71ce07646c80aa3028dc8df1e942943f612574559ab40f62e634599ea46d5e23

SHA512
c30592da97cf394a3a723356f1db0c5a747ff4a8e416c00c2f2a0fb36af79a6e1f0fe86245f743eec54577cb3517c398b6e34fbf42c818273d5ffad640b8ea57

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240594593.bat

Filesize
51KB

MD5
c478bd9fcb865561400bd82b1e82c84f

SHA1
2cf5c6d62da8e4fa875bb648f54a77db04724bda

SHA256
175ba892d54dfe1655de91e17cd771d28e403e6ba3954f83de84f9a67f9f2012

SHA512
5fcb0422da272394d0b9086b2a779a7430c43448d3c1a2a07820d102870c620c66f2537a1f1783a1c520edf8b4378ea8a4a32fa5fc7b6974595976edaa8b85e5

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/4960-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4960-40-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads