gh0strat | 1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec

General

Target

1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe
Size

204KB
MD5

3cc5633a1c10621a9f34cae49cee1d48
SHA1

f20a294698f474d3c1f86a1a8738ca38af7cf7e7
SHA256

1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec
SHA512

bf3246c24e67a0ee407794069585993a44add2376d1ba81fac4c8aac716739d733fceb91c551b5b43de74fc0cc59c7ece54c6125c109a17c303deacce37b3610
SSDEEP

3072:ArBaHAhAtPf6BWHWVXhqPEzO/V1VrNYQkCA+HFSWvF3TBftEnob2RI:8uAh/WHv9DNYtEHhvF3TBlEnob/

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b2d2-54.dat	family_gh0strat
behavioral1/files/0x000500000000b2d2-55.dat	family_gh0strat
behavioral1/files/0x000500000000b2d2-57.dat	family_gh0strat
behavioral1/files/0x000500000000b2d2-58.dat	family_gh0strat
behavioral1/files/0x0007000000013199-63.dat	family_gh0strat
behavioral1/memory/900-64-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
900	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
1060	1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe
1060	1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe
900	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yjsoft.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\yjsoft.ini	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\alg.exe	svchost.exe
File opened for modification	C:\windows\alg.exe	svchost.exe
File created	C:\Windows\Sys.VBS	svchost.exe
File created	C:\WINDOWS\FF13.exe	svchost.exe
File created	C:\WINDOWS\FF12.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
900	svchost.exe
900	svchost.exe
900	svchost.exe
900	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	svchost.exe
Token: SeDebugPrivilege	900	svchost.exe
Token: SeBackupPrivilege	900	svchost.exe
Token: SeRestorePrivilege	900	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 900	1060	1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe	27
PID 1060 wrote to memory of 900	1060	1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe	27
PID 1060 wrote to memory of 900	1060	1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe	27
PID 1060 wrote to memory of 900	1060	1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe	27
PID 900 wrote to memory of 1912	900	svchost.exe	28
PID 900 wrote to memory of 1912	900	svchost.exe	28
PID 900 wrote to memory of 1912	900	svchost.exe	28
PID 900 wrote to memory of 1912	900	svchost.exe	28

C:\Users\Admin\AppData\Local\Temp\1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe
"C:\Users\Admin\AppData\Local\Temp\1f563342e0e196e9e4902bb5f4b5077c40e632d80f5b4c9a9ee5919fafcd2eec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Sys.VBS"
    3⤵
    PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
15.2MB

MD5
ce470b3a02f89d43e1f765e5d59226a8

SHA1
4d0d91ab311eb8602a967c03b9e501894364052c

SHA256
6ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63

SHA512
5a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
15.2MB

MD5
ce470b3a02f89d43e1f765e5d59226a8

SHA1
4d0d91ab311eb8602a967c03b9e501894364052c

SHA256
6ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63

SHA512
5a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6

Download Submit
C:\Windows\Sys.VBS

Filesize
1KB

MD5
e5baac34de9a9068a0c901392f21efe5

SHA1
77f9cb2be96bfbf4e0eefb27b759faeb13b50b29

SHA256
7fa5d6fb181d48105524c2836db0671faf8454d7236a74b434075ce64b52a7a9

SHA512
dac036e3136abdb14c799b52f91ccfa39699943b980276d563072d63a5bbd5fdf975cdce04f1df832d8a19735231a7ed9a52eddff2b6f2cc47b4b8a1aa62f374

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
15.2MB

MD5
ce470b3a02f89d43e1f765e5d59226a8

SHA1
4d0d91ab311eb8602a967c03b9e501894364052c

SHA256
6ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63

SHA512
5a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
15.2MB

MD5
ce470b3a02f89d43e1f765e5d59226a8

SHA1
4d0d91ab311eb8602a967c03b9e501894364052c

SHA256
6ee6a956941b90233d173cb03dacdc3476b3b5f31cffdf3565235d9c62ea8c63

SHA512
5a393f840a6c8ee6dd48c52635808dc66da79875db0ae1893044ca671434dc8a1f0effc6501128cc2fc08264ba0f52c1edb78f993da6a81de9057ebbbfe6e7e6

Download Submit
\Windows\SysWOW64\yjsoft.ini

Filesize
10.1MB

MD5
a3bbcb155872cc65276edac08d7eff0a

SHA1
64db81055ebd5186ad8e9f5626d9d798f688c729

SHA256
c3d6e5a56e91894581f4310804eb5820d4969a0b98d3f053b8ba59540211d559

SHA512
f26b5d41ca94602070cd27978480ee7d9cb412b716365ddba18a7d28467bfdd433bcf85ce7682a9d05f3fc17131d0af65e3804763c243c17159bb8bdd0ce3d9a

Download Submit
memory/900-59-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/900-64-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing