gh0strat | 159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
Size

2.2MB
MD5

e2499d45781442f28937ca2eb24ff56c
SHA1

e22d6ac937ab8e99447ffc00a57d76c03e97df86
SHA256

159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73
SHA512

2efe9f3540312224b3b06ff4f3ce1f8ea2ffcf92e0147b81f3c88611ebc395805ad2da08cb768d95a4a86207c969b6d57dc8ebaf4a7e484601fcd60e65b09ad9
SSDEEP

49152:zEywVVvUji3TA3nsHyjtk2MYC5GDGisyn7dS:Q1VVv2883nsmtk2aQ7c

Score

10^/10

gh0strat xred backdoor discovery macro persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000191f3-6.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\259450098.bat"	GLk.exe

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0007000000019620-119.dat
behavioral1/files/0x0008000000019621-130.dat

Executes dropped EXE 6 IoCs

pid	Process
2888	GLk.exe
1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
2760	._cache_HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
2608	Synaptics.exe
3052	._cache_Synaptics.exe
2296	svchist.exe

Loads dropped DLL 11 IoCs

pid	Process
1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
2888	GLk.exe
2320	svchost.exe
1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
2608	Synaptics.exe
2608	Synaptics.exe
2320	svchost.exe
2296	svchist.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File created	C:\Windows\SysWOW64\259450098.bat	GLk.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	GLk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1256	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
1256	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2888	1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	31
PID 1644 wrote to memory of 2888	1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	31
PID 1644 wrote to memory of 2888	1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	31
PID 1644 wrote to memory of 2888	1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	31
PID 1644 wrote to memory of 1792	1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	34
PID 1644 wrote to memory of 1792	1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	34
PID 1644 wrote to memory of 1792	1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	34
PID 1644 wrote to memory of 1792	1644	159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	34
PID 1792 wrote to memory of 2760	1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	35
PID 1792 wrote to memory of 2760	1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	35
PID 1792 wrote to memory of 2760	1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	35
PID 1792 wrote to memory of 2760	1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	35
PID 1792 wrote to memory of 2608	1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	37
PID 1792 wrote to memory of 2608	1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	37
PID 1792 wrote to memory of 2608	1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	37
PID 1792 wrote to memory of 2608	1792	HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe	37
PID 2608 wrote to memory of 3052	2608	Synaptics.exe	38
PID 2608 wrote to memory of 3052	2608	Synaptics.exe	38
PID 2608 wrote to memory of 3052	2608	Synaptics.exe	38
PID 2608 wrote to memory of 3052	2608	Synaptics.exe	38
PID 2320 wrote to memory of 2296	2320	svchost.exe	40
PID 2320 wrote to memory of 2296	2320	svchost.exe	40
PID 2320 wrote to memory of 2296	2320	svchost.exe	40
PID 2320 wrote to memory of 2296	2320	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
"C:\Users\Admin\AppData\Local\Temp\159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\GLk.exe
  C:\Users\Admin\AppData\Local\Temp\\GLk.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
  C:\Users\Admin\AppData\Local\Temp\\HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\._cache_HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe"
    3⤵
    - Executes dropped EXE
    PID:2760
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      PID:3052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
PID:2492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\svchist.exe
  C:\Windows\system32\svchist.exe "c:\windows\system32\259450098.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2296

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25u8gtAJ.xlsm

Filesize
24KB

MD5
d7540c6d82365d7203884f6eb07cf287

SHA1
aaabaf76cbabc758bf3ff8f1f303e7eb49485541

SHA256
b297718508f49bc0d5f393a93a5717c3f0f70eaa327aedc94ee354f5c72f0b98

SHA512
e4585b273851b74cec987d13304d02dc1a5e46ca240e84694e3ced3125f36a41217717a5f3049171cd699f6fc13157cb5193fb0dec51b8436c654996c1de71d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\25u8gtAJ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\25u8gtAJ.xlsm

Filesize
31KB

MD5
0cb378be02ef0cb0a60d2c08f39acf63

SHA1
17a9c642ebc123dae46e9fca5cc4fc067d7d7143

SHA256
0168e462b2335bee3a9b1e012ddefb0b58ebbb905c2bca46c1e86cab1135d582

SHA512
ff02025bb8e8317f8808c522be488a72da423da4e85545200a6b0e08fe3a49d82da848b6a88365d46fb937ac8d130a1d0466a49f9989440eead1caab444498ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\25u8gtAJ.xlsm

Filesize
26KB

MD5
ab1ce368a58ca7170ac57cf136cc7459

SHA1
205ec79f966503ddef8d70f842629248b26cb6e3

SHA256
477a1103b5fcc635f496ea84c011348da42b1a39411badfcab59dde7e6370cf6

SHA512
cff7edac97a8e9e11a9d4565c01588a1894a609d1eadac967526a00e43573164fa818e8a6419023e0898e323b059fac54104d78aabb49099edbe5c134ab9de6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\25u8gtAJ.xlsm

Filesize
26KB

MD5
fc27f042afdf32c670e09bad766eba39

SHA1
f30faa481487a4ddf14d9c07c14d7ebcb8b6fed3

SHA256
09edf7b5e344a4098548b8a02104ec511bb1ec2c0e42553423b649dd265afa28

SHA512
2208ef0351eaf53b880b654bc1454e69febc06448e324f3b58cc4c4403ccea31065782126ff0610c0c15f7d40e684e2595c139d9a1e472de57dbd3ed4ddcd662

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
b4c74f141281b76cd65ab27730518aa0

SHA1
341cad358dbbe7fefc60f8ee75589560ab31a825

SHA256
b6006180bc5a72147e55d25139e7728cb43f92330d578116d765eaa900abfae6

SHA512
200b362e1130702bb3e9eea26fea004af0c12c94eac9e1da5ee850c215deecc903c302c086c77302fd9a8b861ca65feb800793094b69676c462092c0584a6559

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$25u8gtAJ.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe

Filesize
299KB

MD5
430a5a0034d36d98ee100d97f58dd88d

SHA1
2a43f8663a21c8055b36521c49436bce535e9e9c

SHA256
831ef3bd56fc1bab96d6310466fb4f3563cf008512572e7fc0027c70dafe51d7

SHA512
d3b3101864ed9c1e01fcfabf47a08f64ee901227b107d2860a4bc96f44670870cf1a887bc7f4dfb9c0f0535a32a4fbc1aa1e4f183f1d5483f274a654cae1727a

Download Submit
\Users\Admin\AppData\Local\Temp\GLk.exe

Filesize
337KB

MD5
b8e58a96761799f4ad0548dba39d650c

SHA1
c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f

SHA256
334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df

SHA512
1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

Download Submit
\Users\Admin\AppData\Local\Temp\HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe

Filesize
1.0MB

MD5
075dd995c2750cdcf87eeb180a81ccb7

SHA1
cae188c9e967765dbb7669ae094df2e6b7c2315b

SHA256
ea3b6456775bd3e399f13257cf95d9b58c86e9929a8a8ad9e2212921834fa525

SHA512
057f47499a8790da1eb8c944514b3d82d13c0f15a09f440c82fbcde433bf07f9212a730aa3176748ea8daddab0eb3b4d5eaf52d28a0adce1b01c86c76703275f

Download Submit
\Windows\SysWOW64\259450098.bat

Filesize
51KB

MD5
de9ea3913b4f3fa936ffcf3138be90ed

SHA1
55ee9a42429518cc3feae63cb2821dd80a81af23

SHA256
e8ede7d43baee88784df43ea51f1f824503ef12b22dec3df19e2bc1c44c8c7cc

SHA512
7633ef3d1c4212296c633b94bc5cb10b11d651993ee9bb49295ad0840aa666f76ecc22a225d814571f581b8e4c95f78885688f74c48049ee4ad5acdeeed5649c

Download Submit
\Windows\SysWOW64\svchist.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1256-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1256-136-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1792-43-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2608-59-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2608-137-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2608-139-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2608-140-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2608-170-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2608-174-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download