Malware Analysis Report

2025-01-22 14:45

Sample ID 240605-ppqyxagc23
Target 3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887
SHA256 3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887
Tags
gh0strat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887

Threat Level: Known bad

The file 3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887 was found to be: Known bad.

Malicious Activity Summary

gh0strat persistence rat

Gh0st RAT payload

Gh0strat

Sets DLL path for service in the registry

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 12:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 12:30

Reported

2024-06-05 12:36

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259402128.bat" C:\Users\Admin\AppData\Local\Temp\look2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchcst.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\259402128.bat C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
File created C:\Windows\SysWOW64\svchcst.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchcst.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 2016 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 2016 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 2016 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 2016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
PID 2016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
PID 2016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
PID 2016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
PID 2576 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
PID 2216 wrote to memory of 1820 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchcst.exe
PID 2216 wrote to memory of 1820 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchcst.exe
PID 2216 wrote to memory of 1820 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchcst.exe
PID 2216 wrote to memory of 1820 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe

"C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"

C:\Users\Admin\AppData\Local\Temp\look2.exe

C:\Users\Admin\AppData\Local\Temp\\look2.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe

C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe

C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp

"C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp" /SL5="$60124,1179169,182272,C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"

C:\Windows\SysWOW64\svchcst.exe

C:\Windows\system32\svchcst.exe "c:\windows\system32\259402128.bat",MainThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 kinh.xmcxmr.com udp

Files

\Users\Admin\AppData\Local\Temp\look2.exe

MD5 2f3b6f16e33e28ad75f3fdaef2567807
SHA1 85e907340faf1edfc9210db85a04abd43d21b741
SHA256 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857
SHA512 db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

\Windows\SysWOW64\259402128.bat

MD5 2b2cab888e75457167b1dd81ff0a39dd
SHA1 a06433e15ed74c87254ba87090e3f7d1bba1e486
SHA256 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014
SHA512 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450

\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe

MD5 aea5bf1109feb93aec0b4a0808ee054e
SHA1 28c8bb5eb3cea7b3e3da919753b43916909bd652
SHA256 1400af59b04d10c0f2896652a35b4eb073578709d7c0909930c4aca78617bfef
SHA512 0ff39f51577e808aae668d6b967718b892b3e1e01616ee17df14e95bfbb58129e00f616147df0ef475ce2496d63ca3554accc91e47e8edd59bfe65fdb09f6cd4

memory/2576-22-0x0000000000401000-0x0000000000417000-memory.dmp

memory/2576-19-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-O2OE1.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp

MD5 8833727ebfd1264787f81e16658f9450
SHA1 b0977c48020c14d2bbac5c7c1aa73765eb283956
SHA256 06ecce7ef1f1d8278c130a8085ff86685f20b9fef4b3ac620e615e36ecd629b7
SHA512 d9df6e7e8a94095b6349e707801be9a9c6e51212355e1cca076ba40bb57c1e2cb600f387bd540cb97dbab998ecc9233b50e7700244a54eccc5e5b39966a1913a

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 254efb0b5866be052de111ace90567cb
SHA1 964821ed6863613ac2711629cfa0f48ac1d7ff9d
SHA256 a3f131a67bfa11c16a98d567e51aba3bef20099ba1ae79a3dcd5cd56a9ec9124
SHA512 da8fd33aa482f84160f8524724b13d9aa92d85999c0a7f16cd6bf551bd7fc54addbbfea532039f612d50325dcedfb7256953507d55f19f7a192f78ba825d98ac

\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/2648-58-0x0000000002070000-0x000000000207E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\botva2.dll

MD5 0177746573eed407f8dca8a9e441aa49
SHA1 6b462adf78059d26cbc56b3311e3b97fcb8d05f7
SHA256 a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008
SHA512 d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

memory/2648-53-0x00000000073D0000-0x00000000073E5000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\innocallback.dll

MD5 1c55ae5ef9980e3b1028447da6105c75
SHA1 f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA256 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA512 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_close.png

MD5 7028bcf9a5b8590aed967810a6ec2876
SHA1 a21a20212dd141b52ccfe5474db87867e86f1450
SHA256 2ddba2bc9b928eb58a934f690a57b9be7d2e781338735b9c854fbf4e9b4d291a
SHA512 78746a8c7fcaf34ad436eaf81182d36c17ab2462cb2541c7064393a3e758c1c70328c25cb66ab44bb302780f8fe0a64f82c2e749f811c68303018a3cfa1ad6e4

C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_Browser.png

MD5 6ef5ac510ea87d854d4e593f00b7faa9
SHA1 7ffb75b6516c6bcdf61975a31d64ee89f90a6dd6
SHA256 7ef58ffbbcae80e855125fb3ad7e5bc2b71e361b3024fc06c9c3e62120fde879
SHA512 ed8813e221676bf48bfbfd50fe7b500a5a89eec850b8c66d3bc647888eddc4ed927e70b5025ba9d8ddadad5616e27e52b857369b31381ca00c6679354b39cd60

C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\back.png

MD5 a3db6160a784b8d37493e21213e71d16
SHA1 de8763b71b90f9de05e4de11220c8404e765ee07
SHA256 a1d005b22042c6111f91c62e1336c720b921d356ff2ae739a61b3dee25237736
SHA512 bd58180268d44c075dbf1afe7e14b0334667abc5e1c2c1d58cbc89f973e24488aa80a0aab5961b1bc47f3db3bf05f570af3dfe250fa6f77b50bda64f222f664e

C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_n.png

MD5 9d996568e415ac4aefed00a586ad9954
SHA1 2e56c1bff8c6f6b2ca65348cdbb79f3dc8526049
SHA256 4b436df0da832222da79fb9a6cd54f3344aa6ab66f61a280f8c95822dbd2f1f0
SHA512 5a2e8ed95e0facc35577f2a182ade8cc3af58e3d2d098fd4b85541fd6cd4c8a6bb9b2aa93e33ff5e5aa6547d4c55442f291a825d87875eb291f2a35d2e06f9d3

C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_setup.png

MD5 3c390e1f00847c63c44b5d3f75f4b015
SHA1 b6925e1a5f4d31e314a019bb7e313d5625b4e6db
SHA256 a79dfdd5d4b6262d606fd905162b79de9e91b1c2a39907832b18a2723eb57306
SHA512 1411f807dfa6cd053783ecf25d7603ffb18e3d125c056ea6dd66999d818550801dbd804b9958beccf7b2a7eec0c516a2bb630c72ac87978a8c23ad295a5d949e

C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\btn_min.png

MD5 387d3d3c9e2fba5470b53064187230d8
SHA1 326a785aa9429afb4d4097cb4527aca0b5cbb0c1
SHA256 9315067dff0ab80dc6d03950b4f281f02ba658727ad51098c083d09fd0011d0f
SHA512 5b81154157f326c04b167510cc1f3c272af4ebc6f0ec393c80d2b340b6aebf4ea130ab8b21949147831b91541f722d8d7810bcae55c6836d440984712eecae6a

C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\checkboxdeep.png

MD5 f61d05867df096a954ff4bc18bfccffe
SHA1 28e52d13b41ec0d5f4e1df74cef91d46161a93dd
SHA256 f080cdcabeef8ce0e78b64e9fdfb75b77018224c72fccc47ecc5b7857d78621f
SHA512 c25a538ad39a64fb56ecc809b27462bebcb6e2f5cb8732d4c109238059fb668ae3fef202de540cc452078bb1944bdef1efd3cb6bff3c4789c92dc16c01ecc551

C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\license.png

MD5 f277a257878c5cbdde1660a5783ef260
SHA1 8a1607a6f6693840e5878c94e8010b5d95819724
SHA256 54ab740185e274ccf6bd436069c912ed2e671377e2a7a1271d70d97b55458d88
SHA512 0d7f5d0eebef43d6582ac4488b2801e2bbc24138949a316972eb1d2ea286c45a77be3ff2b2d56ef6780b1f844a2d82cefd74337cbdb5a1f7241dc2135338ba52

C:\Users\Admin\AppData\Local\Temp\is-T2ALG.tmp\xy.png

MD5 0b88d63d20edc1796d4ac2a77a7acc5b
SHA1 7c5b7d042b6a286b6136f10dfc6d11501ec9a0db
SHA256 dde7df96a7e49c8ec1cecaa31746c0fdfe42b3e528ed41a0cf971ba254ac7e73
SHA512 7f02d2110a2231d352b9637f9d76838a28567a1d8085e8d2b572351d1f1ae9ab5486e2f837eed9206e7f20ea015a59ca72bb249f5e340c8fa1206890d3ee6383

C:\Windows\SysWOW64\svchcst.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2648-160-0x0000000000400000-0x0000000000587000-memory.dmp

memory/2648-162-0x0000000002070000-0x000000000207E000-memory.dmp

memory/2648-161-0x00000000073D0000-0x00000000073E5000-memory.dmp

memory/2576-159-0x0000000000400000-0x0000000000437000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 12:30

Reported

2024-06-05 12:36

Platform

win10v2004-20240226-en

Max time kernel

17s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240663921.bat" C:\Users\Admin\AppData\Local\Temp\look2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\240663921.bat C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\look2.exe N/A
File created C:\Windows\SysWOW64\svchcst.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchcst.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1964 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1964 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\look2.exe
PID 1964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
PID 1964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
PID 1964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe
PID 2788 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
PID 2788 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp
PID 2788 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe

"C:\Users\Admin\AppData\Local\Temp\3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"

C:\Users\Admin\AppData\Local\Temp\look2.exe

C:\Users\Admin\AppData\Local\Temp\\look2.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchcst"

C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe

C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe

C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp" /SL5="$5016C,1179169,182272,C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe"

C:\Windows\SysWOW64\svchcst.exe

C:\Windows\system32\svchcst.exe "c:\windows\system32\240663921.bat",MainThread

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp

Files

C:\Users\Admin\AppData\Local\Temp\look2.exe

MD5 2f3b6f16e33e28ad75f3fdaef2567807
SHA1 85e907340faf1edfc9210db85a04abd43d21b741
SHA256 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857
SHA512 db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

C:\Windows\SysWOW64\240663921.bat

MD5 2b2cab888e75457167b1dd81ff0a39dd
SHA1 a06433e15ed74c87254ba87090e3f7d1bba1e486
SHA256 3b2f39609bc733286412da568e10f630aaa624ace69f99a0daab7fdb1aea7014
SHA512 355f1551d22ac29dff1cc20e0ae7a39cea43c35e7dc9659bd67eabad09587f611bdc27c4bfdd064a6abe8160ee8aef61746bb57dad442b5fdbea41f265c45450

C:\Users\Admin\AppData\Local\Temp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.exe

MD5 aea5bf1109feb93aec0b4a0808ee054e
SHA1 28c8bb5eb3cea7b3e3da919753b43916909bd652
SHA256 1400af59b04d10c0f2896652a35b4eb073578709d7c0909930c4aca78617bfef
SHA512 0ff39f51577e808aae668d6b967718b892b3e1e01616ee17df14e95bfbb58129e00f616147df0ef475ce2496d63ca3554accc91e47e8edd59bfe65fdb09f6cd4

memory/2788-18-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2788-20-0x0000000000401000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EAE5U.tmp\HD_3475fefc871df0b71f329e5c4f1e5b5d61b54d87a8451e1bc47a83e779dbf887.tmp

MD5 8833727ebfd1264787f81e16658f9450
SHA1 b0977c48020c14d2bbac5c7c1aa73765eb283956
SHA256 06ecce7ef1f1d8278c130a8085ff86685f20b9fef4b3ac620e615e36ecd629b7
SHA512 d9df6e7e8a94095b6349e707801be9a9c6e51212355e1cca076ba40bb57c1e2cb600f387bd540cb97dbab998ecc9233b50e7700244a54eccc5e5b39966a1913a

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 254efb0b5866be052de111ace90567cb
SHA1 964821ed6863613ac2711629cfa0f48ac1d7ff9d
SHA256 a3f131a67bfa11c16a98d567e51aba3bef20099ba1ae79a3dcd5cd56a9ec9124
SHA512 da8fd33aa482f84160f8524724b13d9aa92d85999c0a7f16cd6bf551bd7fc54addbbfea532039f612d50325dcedfb7256953507d55f19f7a192f78ba825d98ac

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\innocallback.dll

MD5 1c55ae5ef9980e3b1028447da6105c75
SHA1 f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA256 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA512 1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

memory/4004-50-0x00000000034F0000-0x0000000003505000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\botva2.dll

MD5 0177746573eed407f8dca8a9e441aa49
SHA1 6b462adf78059d26cbc56b3311e3b97fcb8d05f7
SHA256 a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008
SHA512 d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

memory/4004-58-0x0000000003520000-0x000000000352E000-memory.dmp

C:\Windows\SysWOW64\svchcst.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_close.png

MD5 7028bcf9a5b8590aed967810a6ec2876
SHA1 a21a20212dd141b52ccfe5474db87867e86f1450
SHA256 2ddba2bc9b928eb58a934f690a57b9be7d2e781338735b9c854fbf4e9b4d291a
SHA512 78746a8c7fcaf34ad436eaf81182d36c17ab2462cb2541c7064393a3e758c1c70328c25cb66ab44bb302780f8fe0a64f82c2e749f811c68303018a3cfa1ad6e4

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_setup.png

MD5 3c390e1f00847c63c44b5d3f75f4b015
SHA1 b6925e1a5f4d31e314a019bb7e313d5625b4e6db
SHA256 a79dfdd5d4b6262d606fd905162b79de9e91b1c2a39907832b18a2723eb57306
SHA512 1411f807dfa6cd053783ecf25d7603ffb18e3d125c056ea6dd66999d818550801dbd804b9958beccf7b2a7eec0c516a2bb630c72ac87978a8c23ad295a5d949e

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_n.png

MD5 9d996568e415ac4aefed00a586ad9954
SHA1 2e56c1bff8c6f6b2ca65348cdbb79f3dc8526049
SHA256 4b436df0da832222da79fb9a6cd54f3344aa6ab66f61a280f8c95822dbd2f1f0
SHA512 5a2e8ed95e0facc35577f2a182ade8cc3af58e3d2d098fd4b85541fd6cd4c8a6bb9b2aa93e33ff5e5aa6547d4c55442f291a825d87875eb291f2a35d2e06f9d3

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_Browser.png

MD5 6ef5ac510ea87d854d4e593f00b7faa9
SHA1 7ffb75b6516c6bcdf61975a31d64ee89f90a6dd6
SHA256 7ef58ffbbcae80e855125fb3ad7e5bc2b71e361b3024fc06c9c3e62120fde879
SHA512 ed8813e221676bf48bfbfd50fe7b500a5a89eec850b8c66d3bc647888eddc4ed927e70b5025ba9d8ddadad5616e27e52b857369b31381ca00c6679354b39cd60

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\back.png

MD5 a3db6160a784b8d37493e21213e71d16
SHA1 de8763b71b90f9de05e4de11220c8404e765ee07
SHA256 a1d005b22042c6111f91c62e1336c720b921d356ff2ae739a61b3dee25237736
SHA512 bd58180268d44c075dbf1afe7e14b0334667abc5e1c2c1d58cbc89f973e24488aa80a0aab5961b1bc47f3db3bf05f570af3dfe250fa6f77b50bda64f222f664e

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\btn_min.png

MD5 387d3d3c9e2fba5470b53064187230d8
SHA1 326a785aa9429afb4d4097cb4527aca0b5cbb0c1
SHA256 9315067dff0ab80dc6d03950b4f281f02ba658727ad51098c083d09fd0011d0f
SHA512 5b81154157f326c04b167510cc1f3c272af4ebc6f0ec393c80d2b340b6aebf4ea130ab8b21949147831b91541f722d8d7810bcae55c6836d440984712eecae6a

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\xy.png

MD5 0b88d63d20edc1796d4ac2a77a7acc5b
SHA1 7c5b7d042b6a286b6136f10dfc6d11501ec9a0db
SHA256 dde7df96a7e49c8ec1cecaa31746c0fdfe42b3e528ed41a0cf971ba254ac7e73
SHA512 7f02d2110a2231d352b9637f9d76838a28567a1d8085e8d2b572351d1f1ae9ab5486e2f837eed9206e7f20ea015a59ca72bb249f5e340c8fa1206890d3ee6383

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\checkboxdeep.png

MD5 f61d05867df096a954ff4bc18bfccffe
SHA1 28e52d13b41ec0d5f4e1df74cef91d46161a93dd
SHA256 f080cdcabeef8ce0e78b64e9fdfb75b77018224c72fccc47ecc5b7857d78621f
SHA512 c25a538ad39a64fb56ecc809b27462bebcb6e2f5cb8732d4c109238059fb668ae3fef202de540cc452078bb1944bdef1efd3cb6bff3c4789c92dc16c01ecc551

C:\Users\Admin\AppData\Local\Temp\is-0D637.tmp\license.png

MD5 f277a257878c5cbdde1660a5783ef260
SHA1 8a1607a6f6693840e5878c94e8010b5d95819724
SHA256 54ab740185e274ccf6bd436069c912ed2e671377e2a7a1271d70d97b55458d88
SHA512 0d7f5d0eebef43d6582ac4488b2801e2bbc24138949a316972eb1d2ea286c45a77be3ff2b2d56ef6780b1f844a2d82cefd74337cbdb5a1f7241dc2135338ba52

memory/2788-156-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4004-158-0x00000000034F0000-0x0000000003505000-memory.dmp

memory/4004-159-0x0000000003520000-0x000000000352E000-memory.dmp

memory/4004-157-0x0000000000400000-0x0000000000587000-memory.dmp

memory/4004-167-0x0000000003520000-0x000000000352E000-memory.dmp

memory/4004-166-0x00000000034F0000-0x0000000003505000-memory.dmp