Malware Analysis Report

2025-01-22 14:42

Sample ID 240605-ppq9nsgc24
Target 2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28
SHA256 2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28

Threat Level: Known bad

The file 2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0strat

Gh0st RAT payload

Sets DLL path for service in the registry

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 12:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 12:30

Reported

2024-06-05 12:36

Platform

win7-20240221-en

Max time kernel

106s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259426339.bat" C:\Users\Admin\AppData\Local\Temp\look2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchcst.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\259426339.bat C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
File created C:\Windows\SysWOW64\svchcst.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchcst.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
PID 1056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
PID 1056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
PID 1056 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
PID 2684 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
PID 2684 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
PID 2684 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
PID 2684 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
PID 2684 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
PID 2684 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
PID 2684 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
PID 3056 wrote to memory of 2024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchcst.exe
PID 3056 wrote to memory of 2024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchcst.exe
PID 3056 wrote to memory of 2024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchcst.exe
PID 3056 wrote to memory of 2024 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe

"C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"

C:\Users\Admin\AppData\Local\Temp\look2.exe

C:\Users\Admin\AppData\Local\Temp\\look2.exe

C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe

C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp" /SL5="$40172,1110397,179200,C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"

C:\Windows\SysWOW64\svchcst.exe

C:\Windows\system32\svchcst.exe "c:\windows\system32\259426339.bat",MainThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 kinh.xmcxmr.com udp

Files

\Users\Admin\AppData\Local\Temp\look2.exe

MD5 2f3b6f16e33e28ad75f3fdaef2567807
SHA1 85e907340faf1edfc9210db85a04abd43d21b741
SHA256 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857
SHA512 db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

\Windows\SysWOW64\259426339.bat

MD5 2b2cab888e75457167b1dd81ff0a39dd
SHA1 a06433e15ed74c87254ba87090e3f7d1bba1e486
SHA256 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014
SHA512 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450

\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe

MD5 fc82bffaedac9a735d2abdfed3e20843
SHA1 8a782efa2eb830785ac09690ca1fc9b13b7b9b39
SHA256 f83c599649b92be000220a63ae3e98e081efabdabb4449965832ab212c802cd2
SHA512 8ca9b9e30b62e1e9207c263855144358d7272145099cc64c74afcf4da199993de1b5db00a236adff338bfdb8446bccc0992124ba09e98b3cb686a91b367c2b25

memory/2684-17-0x0000000000401000-0x0000000000417000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-JBDC1.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp

MD5 d7d4116cc40ad6c8c261114c9d25a009
SHA1 1bf6653af8bfec61841c85b7dab09610e5c1c04a
SHA256 ae86d5ffe70763e6c16535010e23319f7ec947f6d4fc90db90c5cb6800fbc246
SHA512 48b293a6494a43f11cf59895fc0bba4f5d0375b204e1215389ec94ab6669bcc7c4dd2daf6dfa793d62ee3dc3c6c50b400e6f0d6da840fa76f898deba8eba976b

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 3d2ace4d383b9460521ab9bcf7007bd9
SHA1 e3eb2157d3f9aa1c730256a8b6ecfe2ce6c501d1
SHA256 fda48416d561902bf1883d3683f996a0fff43e3aba1113e63fce17aa92fd2309
SHA512 070bd3b3249874986558fb9ff00e89599654571071b94417bcd60e69fb24797de11139f7976d11d78821dba583d696d65bc87183637601548bf5ecfaac5b0c2f

\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2540-53-0x0000000001FE0000-0x0000000001FF5000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\innocallback.dll

MD5 1c55ae5ef9980e3b1028447da6105c75
SHA1 f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA256 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA512 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

memory/2684-15-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2540-58-0x0000000002000000-0x000000000200E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\botva2.dll

MD5 0177746573eed407f8dca8a9e441aa49
SHA1 6b462adf78059d26cbc56b3311e3b97fcb8d05f7
SHA256 a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008
SHA512 d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_close.png

MD5 684a1fe844a84f7f83682b2a197b3597
SHA1 132cfffa79237b3466299b41eece06c2cb8a96c3
SHA256 5e1450f7f6a8f27e55cd61c775ba3901fd8fe0844f514187fad399a1f814ca4d
SHA512 700be65de1a40715709895f55315b1b5d133b0b5250fcccbad05f715bdce1b4e20c918593c620aa90e1fed2b9793a5047e460322dfa982a5314109bd2dbf2c95

C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_n.png

MD5 ae55da6af3d875ae8be8def9123dcad4
SHA1 9dccceaa003cad7829313d18e42235e615f18bc5
SHA256 7b371f1ebb1e3d63341f09002ceaf070e3db865ffeb8e13da89749f8836655da
SHA512 06dcdd3a6b78882bbf2e93132a4995daeb690e966e08b3686382201486d2cf53081aef0f7b60af99261c4ba16aea2f6f9e7c578f0ff0eb9b268f1450660160bf

C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_Browser.png

MD5 a4c938229252d5e12c4acd36233ae433
SHA1 bc765e8c232667815394fda329bfbd8efce3315a
SHA256 27d9aa4f44f75e37f74a4c9a9c08b0b5cc24b2f10da5d59a635e08ff21b7f0db
SHA512 8b15fb457f8d9ddd0a3edb45e7be252b533c5c6f8695ce079a3458bd4ffbe92151c732ef194afa369e468f0aec04bbbc9239347ff9a1b7009b700157044495da

C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\back.png

MD5 58e38e7f83a055af72eb9b690727bba1
SHA1 cd146465433b50ef7045d29e047f7078dd4830f8
SHA256 97a307fada06d941311934016961dd022f929c290eb566503d1f027b74f4ddf3
SHA512 4327fead8ef651273ea98d74da37b178a78478bf49f8eeff2edcd78f5320520a360895977544510a6377e7f14f7fa242862c4555c26b596e8b49e107139030e9

C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\checkboxdeep.png

MD5 9e693f05d0ed1a24e7ced0e5bc45f21f
SHA1 1ada5d34ebba6e54cfb68a899e64f78e56529ae6
SHA256 7bcd9a1ec59f46c694a1f1c8d61d4e14012a8497d33ff11b13fa951f712557ea
SHA512 d6ada4bf49c30b4bed6645e73c11bae28fcba6dee77372db842e5884393e866013586ede5084418e91c3cb3a0fad6c7f8c18a65a73f3b3c0fbce989d42bb2a9e

C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\license.png

MD5 c9eeca6b0551598f0f6eb3e3e45c1a8f
SHA1 0555af84be67ba5cfba64d4799ef50692c2c64a4
SHA256 3e38c35c1f6c11bc435855b7b7d6ad3632e23c7a5cb1a65f05d6b4c9f72d0c45
SHA512 2cbdb479436ec7a298e6b89f5e5eb09a8ae497b597c88fdcc94c3bdcb1633b6f510c67a3ad217acc7d6716b2ba2feb4b5119183e90d1544bedab48cbf17a7f62

C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\xy.png

MD5 4a94e49806b7f6ef37b473869ac9233a
SHA1 83821dda7cd06aec9260fa37435eacfc0a25af82
SHA256 a01b9b45286135719f37fbb66494fa2812253df6853e0b077db2e7d21910df72
SHA512 6a169347c61dcca40e399fbaaa48897dd625088b313c313c6a595794dae1c5cf0e4b7f90f37b77f269334dfa4cd73f11f20f029345ad0a8945d26a69c2505fa7

C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_setup.png

MD5 8cb9c1bf91ecc37b2d27cf8579a33777
SHA1 42cc9b00fff70da1ef6368f83c56ae3c8ea9c589
SHA256 63ccdbfe6850beda039df71a9945c5aa0f85d424b9c5fc2080b60fe73e2c0a4d
SHA512 331c5c834829893584d5de25adcfb04e778a4495db9fb9176d3e2baa67c87b00f1b8a801476791e51c63a2d89cdb8b6b3af18074ac673d478b732ae8977e1e6b

C:\Users\Admin\AppData\Local\Temp\is-1C0CU.tmp\btn_min.png

MD5 b6a2f534203abef2c3c390bdae124e09
SHA1 9485a9d05acc9f0a3f4d7bdeae477af0a2770988
SHA256 1b9bf803361bea6ab8744ba177db27d74c6fd82ebf05c610b34940c5085f096d
SHA512 6b3d080828dc142dbfc2d325bfe4e0d7ad69c8c30a851ea7039ba7308a2701f2b668204e69b34577d150f65403a901edd98a3293d70556e8e0855394a417a9ae

\Windows\SysWOW64\svchcst.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2684-159-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2540-162-0x0000000002000000-0x000000000200E000-memory.dmp

memory/2540-160-0x0000000000400000-0x0000000000586000-memory.dmp

memory/2540-161-0x0000000001FE0000-0x0000000001FF5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 12:30

Reported

2024-06-05 12:36

Platform

win10v2004-20240426-en

Max time kernel

0s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240600906.bat" C:\Users\Admin\AppData\Local\Temp\look2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\240600906.bat C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
File created C:\Windows\SysWOW64\svchcst.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchcst.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3660 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 3660 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 3660 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 3660 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
PID 3660 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
PID 3660 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe
PID 1900 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
PID 1900 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp
PID 1900 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe

"C:\Users\Admin\AppData\Local\Temp\2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"

C:\Users\Admin\AppData\Local\Temp\look2.exe

C:\Users\Admin\AppData\Local\Temp\\look2.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe

C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe

C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp" /SL5="$5016E,1110397,179200,C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe"

C:\Windows\SysWOW64\svchcst.exe

C:\Windows\system32\svchcst.exe "c:\windows\system32\240600906.bat",MainThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp

Files

C:\Windows\SysWOW64\240600906.bat

MD5 2b2cab888e75457167b1dd81ff0a39dd
SHA1 a06433e15ed74c87254ba87090e3f7d1bba1e486
SHA256 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014
SHA512 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450

C:\Users\Admin\AppData\Local\Temp\look2.exe

MD5 2f3b6f16e33e28ad75f3fdaef2567807
SHA1 85e907340faf1edfc9210db85a04abd43d21b741
SHA256 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857
SHA512 db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

C:\Users\Admin\AppData\Local\Temp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.exe

MD5 fc82bffaedac9a735d2abdfed3e20843
SHA1 8a782efa2eb830785ac09690ca1fc9b13b7b9b39
SHA256 f83c599649b92be000220a63ae3e98e081efabdabb4449965832ab212c802cd2
SHA512 8ca9b9e30b62e1e9207c263855144358d7272145099cc64c74afcf4da199993de1b5db00a236adff338bfdb8446bccc0992124ba09e98b3cb686a91b367c2b25

memory/1900-20-0x0000000000401000-0x0000000000417000-memory.dmp

memory/1900-18-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4RE0V.tmp\HD_2ca6bbdb40c8c7df583f451f1638ee7b3ea1c844f3d805f294f623fa93a20a28.tmp

MD5 d7d4116cc40ad6c8c261114c9d25a009
SHA1 1bf6653af8bfec61841c85b7dab09610e5c1c04a
SHA256 ae86d5ffe70763e6c16535010e23319f7ec947f6d4fc90db90c5cb6800fbc246
SHA512 48b293a6494a43f11cf59895fc0bba4f5d0375b204e1215389ec94ab6669bcc7c4dd2daf6dfa793d62ee3dc3c6c50b400e6f0d6da840fa76f898deba8eba976b

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 3d2ace4d383b9460521ab9bcf7007bd9
SHA1 e3eb2157d3f9aa1c730256a8b6ecfe2ce6c501d1
SHA256 fda48416d561902bf1883d3683f996a0fff43e3aba1113e63fce17aa92fd2309
SHA512 070bd3b3249874986558fb9ff00e89599654571071b94417bcd60e69fb24797de11139f7976d11d78821dba583d696d65bc87183637601548bf5ecfaac5b0c2f

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\innocallback.dll

MD5 1c55ae5ef9980e3b1028447da6105c75
SHA1 f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA256 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA512 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\botva2.dll

MD5 0177746573eed407f8dca8a9e441aa49
SHA1 6b462adf78059d26cbc56b3311e3b97fcb8d05f7
SHA256 a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008
SHA512 d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

memory/3672-59-0x0000000007640000-0x000000000764E000-memory.dmp

memory/3672-51-0x0000000007520000-0x0000000007535000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_close.png

MD5 684a1fe844a84f7f83682b2a197b3597
SHA1 132cfffa79237b3466299b41eece06c2cb8a96c3
SHA256 5e1450f7f6a8f27e55cd61c775ba3901fd8fe0844f514187fad399a1f814ca4d
SHA512 700be65de1a40715709895f55315b1b5d133b0b5250fcccbad05f715bdce1b4e20c918593c620aa90e1fed2b9793a5047e460322dfa982a5314109bd2dbf2c95

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_n.png

MD5 ae55da6af3d875ae8be8def9123dcad4
SHA1 9dccceaa003cad7829313d18e42235e615f18bc5
SHA256 7b371f1ebb1e3d63341f09002ceaf070e3db865ffeb8e13da89749f8836655da
SHA512 06dcdd3a6b78882bbf2e93132a4995daeb690e966e08b3686382201486d2cf53081aef0f7b60af99261c4ba16aea2f6f9e7c578f0ff0eb9b268f1450660160bf

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_Browser.png

MD5 a4c938229252d5e12c4acd36233ae433
SHA1 bc765e8c232667815394fda329bfbd8efce3315a
SHA256 27d9aa4f44f75e37f74a4c9a9c08b0b5cc24b2f10da5d59a635e08ff21b7f0db
SHA512 8b15fb457f8d9ddd0a3edb45e7be252b533c5c6f8695ce079a3458bd4ffbe92151c732ef194afa369e468f0aec04bbbc9239347ff9a1b7009b700157044495da

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\back.png

MD5 58e38e7f83a055af72eb9b690727bba1
SHA1 cd146465433b50ef7045d29e047f7078dd4830f8
SHA256 97a307fada06d941311934016961dd022f929c290eb566503d1f027b74f4ddf3
SHA512 4327fead8ef651273ea98d74da37b178a78478bf49f8eeff2edcd78f5320520a360895977544510a6377e7f14f7fa242862c4555c26b596e8b49e107139030e9

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_setup.png

MD5 8cb9c1bf91ecc37b2d27cf8579a33777
SHA1 42cc9b00fff70da1ef6368f83c56ae3c8ea9c589
SHA256 63ccdbfe6850beda039df71a9945c5aa0f85d424b9c5fc2080b60fe73e2c0a4d
SHA512 331c5c834829893584d5de25adcfb04e778a4495db9fb9176d3e2baa67c87b00f1b8a801476791e51c63a2d89cdb8b6b3af18074ac673d478b732ae8977e1e6b

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\btn_min.png

MD5 b6a2f534203abef2c3c390bdae124e09
SHA1 9485a9d05acc9f0a3f4d7bdeae477af0a2770988
SHA256 1b9bf803361bea6ab8744ba177db27d74c6fd82ebf05c610b34940c5085f096d
SHA512 6b3d080828dc142dbfc2d325bfe4e0d7ad69c8c30a851ea7039ba7308a2701f2b668204e69b34577d150f65403a901edd98a3293d70556e8e0855394a417a9ae

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\checkboxdeep.png

MD5 9e693f05d0ed1a24e7ced0e5bc45f21f
SHA1 1ada5d34ebba6e54cfb68a899e64f78e56529ae6
SHA256 7bcd9a1ec59f46c694a1f1c8d61d4e14012a8497d33ff11b13fa951f712557ea
SHA512 d6ada4bf49c30b4bed6645e73c11bae28fcba6dee77372db842e5884393e866013586ede5084418e91c3cb3a0fad6c7f8c18a65a73f3b3c0fbce989d42bb2a9e

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\license.png

MD5 c9eeca6b0551598f0f6eb3e3e45c1a8f
SHA1 0555af84be67ba5cfba64d4799ef50692c2c64a4
SHA256 3e38c35c1f6c11bc435855b7b7d6ad3632e23c7a5cb1a65f05d6b4c9f72d0c45
SHA512 2cbdb479436ec7a298e6b89f5e5eb09a8ae497b597c88fdcc94c3bdcb1633b6f510c67a3ad217acc7d6716b2ba2feb4b5119183e90d1544bedab48cbf17a7f62

C:\Users\Admin\AppData\Local\Temp\is-JV4O6.tmp\xy.png

MD5 4a94e49806b7f6ef37b473869ac9233a
SHA1 83821dda7cd06aec9260fa37435eacfc0a25af82
SHA256 a01b9b45286135719f37fbb66494fa2812253df6853e0b077db2e7d21910df72
SHA512 6a169347c61dcca40e399fbaaa48897dd625088b313c313c6a595794dae1c5cf0e4b7f90f37b77f269334dfa4cd73f11f20f029345ad0a8945d26a69c2505fa7

C:\Windows\SysWOW64\svchcst.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/3672-158-0x0000000000400000-0x0000000000586000-memory.dmp

memory/3672-160-0x0000000007640000-0x000000000764E000-memory.dmp

memory/3672-159-0x0000000007520000-0x0000000007535000-memory.dmp

memory/1900-157-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3672-168-0x0000000007640000-0x000000000764E000-memory.dmp

memory/3672-167-0x0000000007520000-0x0000000007535000-memory.dmp