gh0strat | f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20

General

Target

f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
Size

2.4MB
MD5

aa89115709cd72b95d39415755ffbda0
SHA1

9417f30d4c9499b88abd9de8a51fa30e0c8898c5
SHA256

f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20
SHA512

1a3875299cabfd7658d9d50b7c46ce4aa4a70c89dfe06905cbd0132a618ddac6ad22acd166af7436c8bedf4fc94384e77f682111b4179fbd3d3c4a47bbaa5394
SSDEEP

24576:oYFbkIsaPiXSVnC7Yp9zjNmZG8RRl9LyzCCgjBAeu8iuUHGzkuBhzy2F+yVICFP5:oYREXSVMKi3VCI7XBE2IuF64rIlmdii

Score

10^/10

gh0strat mimikatz discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b40-5.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b44-16.dat	mimikatz

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240612703.bat"	look2.exe

Executes dropped EXE 3 IoCs

pid	Process
2640	look2.exe
2060	HD_f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
1728	svchcst.exe

Loads dropped DLL 3 IoCs

pid	Process
2640	look2.exe
1680	svchost.exe
1728	svchcst.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240612703.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	look2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1384	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
1384	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1384	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
1384	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2640	1384	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	83
PID 1384 wrote to memory of 2640	1384	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	83
PID 1384 wrote to memory of 2640	1384	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	83
PID 1384 wrote to memory of 2060	1384	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	86
PID 1384 wrote to memory of 2060	1384	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	86
PID 1680 wrote to memory of 1728	1680	svchost.exe	88
PID 1680 wrote to memory of 1728	1680	svchost.exe	88
PID 1680 wrote to memory of 1728	1680	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
"C:\Users\Admin\AppData\Local\Temp\f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\HD_f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
  C:\Users\Admin\AppData\Local\Temp\HD_f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
  2⤵
  - Executes dropped EXE
  PID:2060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:3964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\240612703.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe

Filesize
1.3MB

MD5
29efd64dd3c7fe1e2b022b7ad73a1ba5

SHA1
e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69

SHA256
61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1

SHA512
f00b1ab035aa574c70f6b95b63f676fa75ff8f379f92e85ad5872c358a6bb1ed5417fdd226d421307a48653577ca42aba28103b3b2d7a5c572192d6e5f07e8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
fb66e1e31fa1e6dfb21a50ccd11e0409

SHA1
6c45a0a115ec896eb14a531a44809b2a22cf8934

SHA256
5ea8c5455f0ebe884ed98834e78ead8b6c68814bbb1723370299fa44b88c0faa

SHA512
58ee149f70438296a67d5ae5cbd6cb9f5b2510a0381466b8f09eec3835be1ce7cad6903ca8fbc9273105132e85952208e78c59f776416c5449b86cc62111154b

Download Submit
C:\Windows\SysWOW64\240612703.bat

Filesize
51KB

MD5
acbfcb951af16fe42ecf3def6eda63b3

SHA1
cb53b04c0d6fbcb36dc828f15669fb2d70ac3c5e

SHA256
b32c034de8eda2e93bc11336d2d7db3c5b6204f447d09c192e1f5c227d2072fb

SHA512
0c11b2cda752d32b3831466f7568da9f231c6a1196d3b1fd0c4bacec83ba0b19b9b706b1867435c8a0afea1fa23257ae7f70cbca7720daada28882d6c3d1d089

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit

Analysis

Sharing