gh0strat | a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe
Size

260KB
MD5

506130a01fb117dcb83ae41ea706b21d
SHA1

a019464e062feb4354ac216d67c097808f6a2a38
SHA256

a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b
SHA512

8140bdca34f8b9b49251fd4dc5a8d01a1fcd471ab55851d198b2c9eb50ea9eb85fb8a413f45bd045065f11a48f7a1db39818aed87c441e70a5aa1d0c2fb2ae00
SSDEEP

6144:nCcOgechPQSE7M2IpkOZBdYHEzodH9aQw:KgeiPxEIDBqHEzo185

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000133ab-68.dat	family_gh0strat
behavioral1/memory/1504-69-0x0000000000400000-0x0000000000479000-memory.dmp	family_gh0strat
behavioral1/files/0x000a0000000133ab-73.dat	family_gh0strat
behavioral1/files/0x000a0000000133ab-72.dat	family_gh0strat
behavioral1/files/0x000a0000000133ab-71.dat	family_gh0strat
behavioral1/files/0x000a0000000133ab-74.dat	family_gh0strat
behavioral1/memory/1144-75-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/1504-91-0x0000000000400000-0x0000000000479000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
1144	qiuqi1.exe
1172	qiuqi1.exe

Deletes itself 1 IoCs

pid	Process
380	cmd.exe

Loads dropped DLL 11 IoCs

pid	Process
1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe
1144	qiuqi1.exe
1144	qiuqi1.exe
1144	qiuqi1.exe
1144	qiuqi1.exe
1144	qiuqi1.exe
1144	qiuqi1.exe
1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe
1172	qiuqi1.exe
1172	qiuqi1.exe
1172	qiuqi1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	qiuqi1.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\qiuqi1.exe	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe
File opened for modification	C:\Program Files\Common Files\qiuqi1.exe	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe
File created	C:\Program Files\Common Files\qiuqi1.bat	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe
File created	C:\Program Files\Common Files\maoma1.dll	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe
File created	C:\Program Files\Common Files\qiuqi1.dll	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qiuqi1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qiuqi1.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32	qiuqi1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	qiuqi1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}	qiuqi1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1144	qiuqi1.exe
1144	qiuqi1.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1144	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	26
PID 1504 wrote to memory of 1144	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	26
PID 1504 wrote to memory of 1144	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	26
PID 1504 wrote to memory of 1144	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	26
PID 1504 wrote to memory of 1144	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	26
PID 1504 wrote to memory of 1144	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	26
PID 1504 wrote to memory of 1144	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	26
PID 1504 wrote to memory of 1172	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	27
PID 1504 wrote to memory of 1172	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	27
PID 1504 wrote to memory of 1172	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	27
PID 1504 wrote to memory of 1172	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	27
PID 1504 wrote to memory of 1172	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	27
PID 1504 wrote to memory of 1172	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	27
PID 1504 wrote to memory of 1172	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	27
PID 1172 wrote to memory of 520	1172	qiuqi1.exe	28
PID 1172 wrote to memory of 520	1172	qiuqi1.exe	28
PID 1172 wrote to memory of 520	1172	qiuqi1.exe	28
PID 1172 wrote to memory of 520	1172	qiuqi1.exe	28
PID 1172 wrote to memory of 520	1172	qiuqi1.exe	28
PID 1172 wrote to memory of 520	1172	qiuqi1.exe	28
PID 1172 wrote to memory of 520	1172	qiuqi1.exe	28
PID 1504 wrote to memory of 380	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	30
PID 1504 wrote to memory of 380	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	30
PID 1504 wrote to memory of 380	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	30
PID 1504 wrote to memory of 380	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	30
PID 1504 wrote to memory of 380	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	30
PID 1504 wrote to memory of 380	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	30
PID 1504 wrote to memory of 380	1504	a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe	30

C:\Users\Admin\AppData\Local\Temp\a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe
"C:\Users\Admin\AppData\Local\Temp\a84e4a294bfff86fd236b92cecba7cf8dfdc4d8faff5fad6d11e2b767846758b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Program Files\Common Files\qiuqi1.exe
  "C:\Program Files\Common Files\qiuqi1.exe" "C:\Program Files\Common Files\maoma1.dll" ServiceMain
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1144
- C:\Documents and Settings\qiuqi1.exe
  "C:\Documents and Settings\qiuqi1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\DOCUME~1\qiuqi1.exe
    3⤵
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\A84E4A~1.EXE
  2⤵
  - Deletes itself
  PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\qiuqi1.exe

Filesize
24.0MB

MD5
944906924d440f1c7095841d73274357

SHA1
53f19947cc2b451211dd64f0cf08b61618dd6dc2

SHA256
5faaa6c6acd03770f2bc0d1a928e98e3cb1305292723f299fa43d16a06e74894

SHA512
b36a3ded5683d2baeea27e6ce63fd06e0f8fb2cee20b9400ac7d825ab2d5e95311d926cc0b3c635ed8d3980f28a82834cf802b5e4c05b5e5efb7f193b5de9711

Download Submit
C:\Program Files\Common Files\maoma1.dll

Filesize
24.1MB

MD5
df6d8977ad6c838fea216cb0114a332b

SHA1
0c7c6e99532e1c07fe35e6054a384ebc3b954d26

SHA256
9e1cb525bfc64215922208fa2cb68d4a995680154920b6fece4136ae654f8192

SHA512
7a88bae0318343685f2f3b7c8457e5b1f30399313afd26103edff4f23ab9fb02c261248fda8782a3d1b610203599a768b1df8b6995d9504ad4eb5d7cab0b3d6b

Download Submit
C:\Program Files\Common Files\qiuqi1.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Program Files\Common Files\qiuqi1.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\qiuqi1.exe

Filesize
24.0MB

MD5
944906924d440f1c7095841d73274357

SHA1
53f19947cc2b451211dd64f0cf08b61618dd6dc2

SHA256
5faaa6c6acd03770f2bc0d1a928e98e3cb1305292723f299fa43d16a06e74894

SHA512
b36a3ded5683d2baeea27e6ce63fd06e0f8fb2cee20b9400ac7d825ab2d5e95311d926cc0b3c635ed8d3980f28a82834cf802b5e4c05b5e5efb7f193b5de9711

Download Submit
\Program Files\Common Files\maoma1.dll

Filesize
24.1MB

MD5
df6d8977ad6c838fea216cb0114a332b

SHA1
0c7c6e99532e1c07fe35e6054a384ebc3b954d26

SHA256
9e1cb525bfc64215922208fa2cb68d4a995680154920b6fece4136ae654f8192

SHA512
7a88bae0318343685f2f3b7c8457e5b1f30399313afd26103edff4f23ab9fb02c261248fda8782a3d1b610203599a768b1df8b6995d9504ad4eb5d7cab0b3d6b

Download Submit
\Program Files\Common Files\maoma1.dll

Filesize
24.1MB

MD5
df6d8977ad6c838fea216cb0114a332b

SHA1
0c7c6e99532e1c07fe35e6054a384ebc3b954d26

SHA256
9e1cb525bfc64215922208fa2cb68d4a995680154920b6fece4136ae654f8192

SHA512
7a88bae0318343685f2f3b7c8457e5b1f30399313afd26103edff4f23ab9fb02c261248fda8782a3d1b610203599a768b1df8b6995d9504ad4eb5d7cab0b3d6b

Download Submit
\Program Files\Common Files\maoma1.dll

Filesize
24.1MB

MD5
df6d8977ad6c838fea216cb0114a332b

SHA1
0c7c6e99532e1c07fe35e6054a384ebc3b954d26

SHA256
9e1cb525bfc64215922208fa2cb68d4a995680154920b6fece4136ae654f8192

SHA512
7a88bae0318343685f2f3b7c8457e5b1f30399313afd26103edff4f23ab9fb02c261248fda8782a3d1b610203599a768b1df8b6995d9504ad4eb5d7cab0b3d6b

Download Submit
\Program Files\Common Files\maoma1.dll

Filesize
24.1MB

MD5
df6d8977ad6c838fea216cb0114a332b

SHA1
0c7c6e99532e1c07fe35e6054a384ebc3b954d26

SHA256
9e1cb525bfc64215922208fa2cb68d4a995680154920b6fece4136ae654f8192

SHA512
7a88bae0318343685f2f3b7c8457e5b1f30399313afd26103edff4f23ab9fb02c261248fda8782a3d1b610203599a768b1df8b6995d9504ad4eb5d7cab0b3d6b

Download Submit
\Program Files\Common Files\qiuqi1.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Program Files\Common Files\qiuqi1.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Program Files\Common Files\qiuqi1.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\qiuqi1.exe

Filesize
24.0MB

MD5
944906924d440f1c7095841d73274357

SHA1
53f19947cc2b451211dd64f0cf08b61618dd6dc2

SHA256
5faaa6c6acd03770f2bc0d1a928e98e3cb1305292723f299fa43d16a06e74894

SHA512
b36a3ded5683d2baeea27e6ce63fd06e0f8fb2cee20b9400ac7d825ab2d5e95311d926cc0b3c635ed8d3980f28a82834cf802b5e4c05b5e5efb7f193b5de9711

Download Submit
\Users\qiuqi1.exe

Filesize
24.0MB

MD5
944906924d440f1c7095841d73274357

SHA1
53f19947cc2b451211dd64f0cf08b61618dd6dc2

SHA256
5faaa6c6acd03770f2bc0d1a928e98e3cb1305292723f299fa43d16a06e74894

SHA512
b36a3ded5683d2baeea27e6ce63fd06e0f8fb2cee20b9400ac7d825ab2d5e95311d926cc0b3c635ed8d3980f28a82834cf802b5e4c05b5e5efb7f193b5de9711

Download Submit
\Users\qiuqi1.exe

Filesize
24.0MB

MD5
944906924d440f1c7095841d73274357

SHA1
53f19947cc2b451211dd64f0cf08b61618dd6dc2

SHA256
5faaa6c6acd03770f2bc0d1a928e98e3cb1305292723f299fa43d16a06e74894

SHA512
b36a3ded5683d2baeea27e6ce63fd06e0f8fb2cee20b9400ac7d825ab2d5e95311d926cc0b3c635ed8d3980f28a82834cf802b5e4c05b5e5efb7f193b5de9711

Download Submit
\Users\qiuqi1.exe

Filesize
24.0MB

MD5
944906924d440f1c7095841d73274357

SHA1
53f19947cc2b451211dd64f0cf08b61618dd6dc2

SHA256
5faaa6c6acd03770f2bc0d1a928e98e3cb1305292723f299fa43d16a06e74894

SHA512
b36a3ded5683d2baeea27e6ce63fd06e0f8fb2cee20b9400ac7d825ab2d5e95311d926cc0b3c635ed8d3980f28a82834cf802b5e4c05b5e5efb7f193b5de9711

Download Submit
memory/1144-75-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1172-89-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1172-86-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1172-87-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1172-85-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1504-58-0x0000000000300000-0x0000000000379000-memory.dmp

Filesize
484KB

Download
memory/1504-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1504-54-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1504-84-0x0000000000500000-0x0000000000506000-memory.dmp

Filesize
24KB

Download
memory/1504-56-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1504-57-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1504-69-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1504-60-0x0000000000480000-0x00000000004BE000-memory.dmp

Filesize
248KB

Download
memory/1504-59-0x0000000000300000-0x0000000000379000-memory.dmp

Filesize
484KB

Download
memory/1504-91-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1504-70-0x0000000000300000-0x0000000000379000-memory.dmp

Filesize
484KB

Download
memory/1504-92-0x0000000000480000-0x00000000004BE000-memory.dmp

Filesize
248KB

Download