gh0strat | c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Analysis

max time kernel
128s
max time network
133s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bj.exe
Size

378KB
MD5

a770ebf2e59e29c7460a01241a0a493f
SHA1

97e59e483e1fa524a305828157a50203e918ada9
SHA256

ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
SHA512

4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
SSDEEP

6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral32/memory/904-54-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral32/memory/904-61-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
\Users\Admin\AppData\Local\dwhilmxqyu	family_gh0strat
C:\Users\Admin\AppData\Local\dwhilmxqyu	family_gh0strat
\??\c:\users\admin\appdata\local\dwhilmxqyu	family_gh0strat
behavioral32/memory/268-77-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral32/memory/268-79-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
\??\c:\programdata\drm\%sessionname%\sojmj.cc3	family_gh0strat
\ProgramData\DRM\%SESSIONNAME%\sojmj.cc3	family_gh0strat
behavioral32/memory/268-92-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ikk6652.tmp	acprotect
\Users\Admin\AppData\Local\Temp\avkDB04.tmp	acprotect

Deletes itself 1 IoCs

Processes:

dwhilmxqyu

pid process

268 dwhilmxqyu
Executes dropped EXE 1 IoCs

Processes:

dwhilmxqyu

pid process

268 dwhilmxqyu
Loads dropped DLL 4 IoCs

Processes:

bj.exedwhilmxqyusvchost.exe

pid process

904 bj.exe
904 bj.exe
268 dwhilmxqyu
1240 svchost.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\knpeqckbma svchost.exe

pid	process
268	dwhilmxqyu

pid	process
268	dwhilmxqyu

pid	process
904	bj.exe
904	bj.exe
268	dwhilmxqyu
1240	svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\knpeqckbma	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

dwhilmxqyusvchost.exe

pid process

268 dwhilmxqyu
1240 svchost.exe
1240 svchost.exe

pid	process
268	dwhilmxqyu
1240	svchost.exe
1240	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

dwhilmxqyusvchost.exe

description	pid	process
Token: SeRestorePrivilege	268	dwhilmxqyu
Token: SeBackupPrivilege	268	dwhilmxqyu
Token: SeBackupPrivilege	268	dwhilmxqyu
Token: SeRestorePrivilege	268	dwhilmxqyu
Token: SeBackupPrivilege	1240	svchost.exe
Token: SeRestorePrivilege	1240	svchost.exe
Token: SeBackupPrivilege	1240	svchost.exe
Token: SeBackupPrivilege	1240	svchost.exe
Token: SeSecurityPrivilege	1240	svchost.exe
Token: SeSecurityPrivilege	1240	svchost.exe
Token: SeBackupPrivilege	1240	svchost.exe
Token: SeBackupPrivilege	1240	svchost.exe
Token: SeSecurityPrivilege	1240	svchost.exe
Token: SeBackupPrivilege	1240	svchost.exe
Token: SeBackupPrivilege	1240	svchost.exe
Token: SeSecurityPrivilege	1240	svchost.exe
Token: SeBackupPrivilege	1240	svchost.exe
Token: SeRestorePrivilege	1240	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bj.exedwhilmxqyu

pid process

904 bj.exe
268 dwhilmxqyu

pid	process
904	bj.exe
268	dwhilmxqyu

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

bj.exe

description	pid	process	target process
PID 904 wrote to memory of 268	904	bj.exe	dwhilmxqyu
PID 904 wrote to memory of 268	904	bj.exe	dwhilmxqyu
PID 904 wrote to memory of 268	904	bj.exe	dwhilmxqyu
PID 904 wrote to memory of 268	904	bj.exe	dwhilmxqyu
PID 904 wrote to memory of 268	904	bj.exe	dwhilmxqyu
PID 904 wrote to memory of 268	904	bj.exe	dwhilmxqyu
PID 904 wrote to memory of 268	904	bj.exe	dwhilmxqyu

C:\Users\Admin\AppData\Local\Temp\bj.exe
"C:\Users\Admin\AppData\Local\Temp\bj.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904

\??\c:\users\admin\appdata\local\dwhilmxqyu
"C:\Users\Admin\AppData\Local\Temp\bj.exe" a -sc:\users\admin\appdata\local\temp\bj.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:268

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dwhilmxqyu

Filesize
19.8MB

MD5
2d0968ac4d88f7202038991ed0567258

SHA1
31874921c8873ce35091bd4f71f3a520f3efad3c

SHA256
2d8097fc5f915182a5245a776b4c74b04102e3f4172eebd58e4771e7f2d59758

SHA512
198889d6500d16a5b943d2d76bec1d264755b69c925479a095f74611dd6d64171582f9e28596506f7eb2d76a5c92b359a39e0cc42ae6732fa60cb3bba33d288b

Download Submit
\??\c:\programdata\drm\%sessionname%\sojmj.cc3

Filesize
24.1MB

MD5
e00aaf3c3b4159239658c92f3bcc03f4

SHA1
90dd64495a62971830abbe9f14f7e6ca51b1547b

SHA256
5a26194a9f2813de5818b384624299717a5f0dcdba43dd60ba8338199980ccb7

SHA512
c8867c37ea198d89036cb155d0e51e8be9298a1674ba13a928eb50fdb70f4443ad25f003a17a8b13f299a5479794998a0062a79708a540b4a51c117f7afd1e90

Download Submit
\??\c:\users\admin\appdata\local\dwhilmxqyu

Filesize
19.8MB

MD5
2d0968ac4d88f7202038991ed0567258

SHA1
31874921c8873ce35091bd4f71f3a520f3efad3c

SHA256
2d8097fc5f915182a5245a776b4c74b04102e3f4172eebd58e4771e7f2d59758

SHA512
198889d6500d16a5b943d2d76bec1d264755b69c925479a095f74611dd6d64171582f9e28596506f7eb2d76a5c92b359a39e0cc42ae6732fa60cb3bba33d288b

Download Submit
\ProgramData\DRM\%SESSIONNAME%\sojmj.cc3

Filesize
24.1MB

MD5
e00aaf3c3b4159239658c92f3bcc03f4

SHA1
90dd64495a62971830abbe9f14f7e6ca51b1547b

SHA256
5a26194a9f2813de5818b384624299717a5f0dcdba43dd60ba8338199980ccb7

SHA512
c8867c37ea198d89036cb155d0e51e8be9298a1674ba13a928eb50fdb70f4443ad25f003a17a8b13f299a5479794998a0062a79708a540b4a51c117f7afd1e90

Download Submit
\Users\Admin\AppData\Local\Temp\avkDB04.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
\Users\Admin\AppData\Local\Temp\ikk6652.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
\Users\Admin\AppData\Local\dwhilmxqyu

Filesize
19.8MB

MD5
2d0968ac4d88f7202038991ed0567258

SHA1
31874921c8873ce35091bd4f71f3a520f3efad3c

SHA256
2d8097fc5f915182a5245a776b4c74b04102e3f4172eebd58e4771e7f2d59758

SHA512
198889d6500d16a5b943d2d76bec1d264755b69c925479a095f74611dd6d64171582f9e28596506f7eb2d76a5c92b359a39e0cc42ae6732fa60cb3bba33d288b

Download Submit
memory/268-91-0x0000000000440000-0x00000000004B4000-memory.dmp

Filesize
464KB

Download
memory/268-83-0x0000000000440000-0x00000000004B4000-memory.dmp

Filesize
464KB

Download
memory/268-78-0x0000000000440000-0x00000000004B4000-memory.dmp

Filesize
464KB

Download
memory/268-79-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/268-92-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/268-76-0x0000000000440000-0x00000000004B4000-memory.dmp

Filesize
464KB

Download
memory/268-77-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/904-61-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/904-71-0x0000000000270000-0x00000000002E4000-memory.dmp

Filesize
464KB

Download
memory/904-63-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/904-54-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/904-60-0x0000000000270000-0x00000000002E4000-memory.dmp

Filesize
464KB

Download
memory/904-59-0x0000000000270000-0x00000000002E4000-memory.dmp

Filesize
464KB

Download
memory/904-58-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1240-93-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download