gh0strat | 2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb

General

Target

2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe
Size

1.9MB
MD5

fbe2e8bf813bb82db80b332efe1dc17f
SHA1

f771f5d0246a2dccbf4ea6cfd1d77a33bd87ded3
SHA256

2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb
SHA512

a05f9d7f0f8d0626f9c8d1a961f3e9defd46836f9ef22d75d2f921edd5fbabd9021142ee68c6f1c184ea897f896483dbccbc1f2c93c0c32d85363071bbb80f22
SSDEEP

24576:DYFbkIsaPiXSVnC7Yp9zjNmZG8RRl9HpyzHlWPY8sDrXjioG03:DYREXSVMKi3hFsDrXjd

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0036000000015c7f-6.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259400552.bat"	look2.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	look2.exe
2800	svchcst.exe

Loads dropped DLL 5 IoCs

pid	Process
2960	2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe
3064	look2.exe
2184	svchost.exe
2184	svchost.exe
2800	svchcst.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\259400552.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2960	2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe
2960	2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3064	2960	2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe	28
PID 2960 wrote to memory of 3064	2960	2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe	28
PID 2960 wrote to memory of 3064	2960	2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe	28
PID 2960 wrote to memory of 3064	2960	2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe	28
PID 2184 wrote to memory of 2800	2184	svchost.exe	31
PID 2184 wrote to memory of 2800	2184	svchost.exe	31
PID 2184 wrote to memory of 2800	2184	svchost.exe	31
PID 2184 wrote to memory of 2800	2184	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe
"C:\Users\Admin\AppData\Local\Temp\2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\259400552.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.9MB

MD5
fbe2e8bf813bb82db80b332efe1dc17f

SHA1
f771f5d0246a2dccbf4ea6cfd1d77a33bd87ded3

SHA256
2462508146112d31b5f9e34af81cebed4cd95b4186bad4b870aa8a0c8f1061cb

SHA512
a05f9d7f0f8d0626f9c8d1a961f3e9defd46836f9ef22d75d2f921edd5fbabd9021142ee68c6f1c184ea897f896483dbccbc1f2c93c0c32d85363071bbb80f22

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
fb66e1e31fa1e6dfb21a50ccd11e0409

SHA1
6c45a0a115ec896eb14a531a44809b2a22cf8934

SHA256
5ea8c5455f0ebe884ed98834e78ead8b6c68814bbb1723370299fa44b88c0faa

SHA512
58ee149f70438296a67d5ae5cbd6cb9f5b2510a0381466b8f09eec3835be1ce7cad6903ca8fbc9273105132e85952208e78c59f776416c5449b86cc62111154b

Download Submit
\Windows\SysWOW64\259400552.bat

Filesize
51KB

MD5
52a9b6f37732a76103657a97332895e0

SHA1
3aad9dd3a176c9262e2b4eb0d9f3e759efb18f36

SHA256
1dcf8e897ca6a8e92a8378bc0b0c12d4fdcaf37d6cb556f9408cd9628a5fe832

SHA512
4954891e3bd841bb6a17afe1ea5b8fafa627ce8eb805195f3cf092b70e1870c619d0612f3bf5318b1797e00419da9a92ebefd2b00f8c21fa0e6fc4bddff2ffb7

Download Submit

Analysis

Sharing