gh0strat | 4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991

General

Target

4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe
Size

3.9MB
MD5

16da897f4fec2f19848490d70688c1c6
SHA1

f88715a2dd895bdc3aa5ce1e633c749911a33f64
SHA256

4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991
SHA512

614f1677cee9f068858793347062af95dd8bcc692c99d64977cd12bd11dd9152309788bc59b0d39350825e32972460bb4409cfa53979fa1bfebab9b9aa368e8d
SSDEEP

98304:y2SVMD8uUUr8O9mnUpBfccAFN9ImRbuca1/gHpSwLzGxp2Ohcg2:C0s7an28N2

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023414-5.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240600500.bat"	look2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HD_4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe

Executes dropped EXE 3 IoCs

pid	Process
2544	look2.exe
224	HD_4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe
3292	svchcst.exe

Loads dropped DLL 3 IoCs

pid	Process
2544	look2.exe
1472	svchost.exe
3292	svchcst.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\240600500.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a415000000000200000000001066000000010000200000006d4010424af5cf77353e9a1360dc1d1ed3bde604bb65559e76cc8284aadff0c6000000000e800000000200002000000097078c70f9f5adae8235e0b2a23c59c6a6bce55b76a918788aa0fe6acdb255f020000000976b0425d11f82e9af4dfbc6d7393b83f77b3aee8d39433e7f47b3e7301d186740000000e943f880a348ae56a14bf8c8deb429d42d880ee11425eb850339e80cf5f494438cbadb09711f24bc5d2759c2232894336fc943d5a434bf18bb341527ca874214	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40df323bdec6da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a415000000000200000000001066000000010000200000002b6c58a93d3ac3ce71f58d30c5ed271f6df57f311b8c4f4d06f9435b7e81997a000000000e8000000002000020000000b18772c8e3061bf7776034f88453b4084287eccf8541393bbb03523d7ff522ea200000007bc6b6159f9de68fa42765dcd9d4df83b5f2f96c5b2643f9c668241816dcc3614000000062f6adb6de1eed433536f229ca17d1b64435b80a3b34f8e98037111eaf67877728d1d322900ee28044e53ca90b8bd6cfa65ba7da267c494d5ca487e53d352562	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 300b3a3bdec6da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425467897"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{586F66FD-32D1-11EF-BCA5-EAA3B7AF2FC1} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe
1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5084	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe
1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe
5084	IEXPLORE.EXE
5084	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2544	1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe	81
PID 1204 wrote to memory of 2544	1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe	81
PID 1204 wrote to memory of 2544	1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe	81
PID 1204 wrote to memory of 224	1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe	84
PID 1204 wrote to memory of 224	1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe	84
PID 1204 wrote to memory of 224	1204	4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe	84
PID 1472 wrote to memory of 3292	1472	svchost.exe	85
PID 1472 wrote to memory of 3292	1472	svchost.exe	85
PID 1472 wrote to memory of 3292	1472	svchost.exe	85
PID 224 wrote to memory of 4468	224	HD_4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe	86
PID 224 wrote to memory of 4468	224	HD_4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe	86
PID 224 wrote to memory of 4468	224	HD_4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe	86
PID 4468 wrote to memory of 5084	4468	iexplore.exe	87
PID 4468 wrote to memory of 5084	4468	iexplore.exe	87
PID 5084 wrote to memory of 3004	5084	IEXPLORE.EXE	88
PID 5084 wrote to memory of 3004	5084	IEXPLORE.EXE	88
PID 5084 wrote to memory of 3004	5084	IEXPLORE.EXE	88

C:\Users\Admin\AppData\Local\Temp\4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe
"C:\Users\Admin\AppData\Local\Temp\4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\HD_4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe
  C:\Users\Admin\AppData\Local\Temp\HD_4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:4952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240600500.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_4f5cddbaba6f63f31999f034abbc1f4a6104bc40dbe432c75777628098abf991.exe

Filesize
2.7MB

MD5
19b72e6dcf188c53fec0430827f87603

SHA1
7022e5ff6a6c0e1a086f7c704813ce7f3494eab4

SHA256
26263c9b8dc31d143536d825cf2786391c98ab0521d865501193904fe822168a

SHA512
a08f090f7d908860c450c8c38becb58df6ea3a1aed5b2714372b6870712b15206bbea4d0d74ca5fa2a56eeac85e7141f8d71a5b1a5b62259bfa18ca87f6f9561

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
7d649a6072fe01f530a2aef84b9a86f4

SHA1
09a11c9cc26b327914e627bb8744dfd6d7785e24

SHA256
df8db41696bcd3471df41e66f68d3223ee8e726bebab3bc92b10bcc328867bae

SHA512
375abab5e94cbf80bf4cc912e46bceb0ff81a9faa7d81398d688743691948b02bc944c0c47cb696d686419be1699367459c9e837a55b6fbc41941c0b78b7ee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240600500.bat

Filesize
51KB

MD5
927e5e18c1f7afb09114adac28de841f

SHA1
d6934bb475ddcbce5d4d0877a99b7d420573a969

SHA256
fd11d3abd8a7c9b688d11998c5ba8db5ae6b3d84241a7b9189ec3f558eecea70

SHA512
2ac06b5a5efea217aa9f51f7d2d90170ff9916fcc76a246715feace2cb008f25525b3e3a70ad03e14f04868f55ef2d8747d93c653238e77cc881bbb55989763c

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit

Analysis

Sharing