gh0strat | f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20

General

Target

f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
Size

2.4MB
MD5

aa89115709cd72b95d39415755ffbda0
SHA1

9417f30d4c9499b88abd9de8a51fa30e0c8898c5
SHA256

f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20
SHA512

1a3875299cabfd7658d9d50b7c46ce4aa4a70c89dfe06905cbd0132a618ddac6ad22acd166af7436c8bedf4fc94384e77f682111b4179fbd3d3c4a47bbaa5394
SSDEEP

24576:oYFbkIsaPiXSVnC7Yp9zjNmZG8RRl9LyzCCgjBAeu8iuUHGzkuBhzy2F+yVICFP5:oYREXSVMKi3VCI7XBE2IuF64rIlmdii

Score

10^/10

gh0strat mimikatz discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000186e7-6.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018704-15.dat	mimikatz

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259439662.bat"	look2.exe

Executes dropped EXE 3 IoCs

pid	Process
2088	look2.exe
2556	HD_f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
2928	svchcst.exe

Loads dropped DLL 8 IoCs

pid	Process
3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
2088	look2.exe
2144	svchost.exe
3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
1488	Process not Found
2144	svchost.exe
2928	svchcst.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\259439662.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	look2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2088	3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	30
PID 3068 wrote to memory of 2088	3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	30
PID 3068 wrote to memory of 2088	3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	30
PID 3068 wrote to memory of 2088	3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	30
PID 3068 wrote to memory of 2556	3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	33
PID 3068 wrote to memory of 2556	3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	33
PID 3068 wrote to memory of 2556	3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	33
PID 3068 wrote to memory of 2556	3068	f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe	33
PID 2144 wrote to memory of 2928	2144	svchost.exe	36
PID 2144 wrote to memory of 2928	2144	svchost.exe	36
PID 2144 wrote to memory of 2928	2144	svchost.exe	36
PID 2144 wrote to memory of 2928	2144	svchost.exe	36

C:\Users\Admin\AppData\Local\Temp\f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
"C:\Users\Admin\AppData\Local\Temp\f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\HD_f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
  C:\Users\Admin\AppData\Local\Temp\HD_f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe
  2⤵
  - Executes dropped EXE
  PID:2556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\259439662.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.1MB

MD5
4a523fd73945808a400c8ffe35adeb26

SHA1
d7051a1aa3f194bafaf590db7cf952aea86e2d4d

SHA256
cb27e87ee01ad46c165763b0e0c982ac1779093babed5d654fb04f4b3cd01f22

SHA512
b435d240933dacbf57a359c3e259f4f7829514db6e6e1624d9626995b4f2e79d5024295046c5dad139b369ea6374d3c9b47e44068531a730ae3d5d4fdb04e6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
fb66e1e31fa1e6dfb21a50ccd11e0409

SHA1
6c45a0a115ec896eb14a531a44809b2a22cf8934

SHA256
5ea8c5455f0ebe884ed98834e78ead8b6c68814bbb1723370299fa44b88c0faa

SHA512
58ee149f70438296a67d5ae5cbd6cb9f5b2510a0381466b8f09eec3835be1ce7cad6903ca8fbc9273105132e85952208e78c59f776416c5449b86cc62111154b

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\HD_f332e2f30070ae793d13b5664acec47dc140270825144e69cfc5859d5cce8d20.exe

Filesize
1.3MB

MD5
29efd64dd3c7fe1e2b022b7ad73a1ba5

SHA1
e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69

SHA256
61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1

SHA512
f00b1ab035aa574c70f6b95b63f676fa75ff8f379f92e85ad5872c358a6bb1ed5417fdd226d421307a48653577ca42aba28103b3b2d7a5c572192d6e5f07e8b3

Download Submit
\Windows\SysWOW64\259439662.bat

Filesize
51KB

MD5
6f03c696be78d81fb906a2f6f3c0aa91

SHA1
babcdeec13b8aca4ead3d6b449ce9d1864d18e01

SHA256
1353e312adc3edc2f106b421bd394cf83d621921dd9778abaf6f3212634b60b7

SHA512
9013483b5dd679c1b284e88507bc648dadb075a44fe7763487e920b31854a20689376519a7dfeb6e1988238dbb3db7f5a150694c55a4a5a75e9c8fe3080dc67c

Download Submit

Analysis

Sharing