gh0strat | d860174c22effeac91c10774b5601c08c74429905c7f9d4043754448a7cd3a01

General

Target

(电-子-发-票）.exe
Size

36KB
MD5

928c43415fa08992ecf34e90db8c2a5b
SHA1

b2bd43ff4005bce6d39fad9d8bf2c2f25a89f37c
SHA256

e9cc6d34b4e20a11e3af01182672a0ca71d111d1b89d73fc8584a5534d491d7e
SHA512

d1c847fbf19e5d7661ff90b365decc25142de94304c812c016719948901586378909d28424bb388f904f01b072f7840758d6baa4e75a7f857799333acab7976d
SSDEEP

384:4krtyExpPhFmSkkuJ0EKtU/lOgDTp4nuHD80sApEQDeT6lF:jVh93umEeUcgDTWujtP

Score

10^/10

gh0strat evasion rat upx

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Thunder\Media.xml	family_gh0strat
behavioral2/memory/4976-168-0x0000000002F50000-0x00000000030CB000-memory.dmp	family_gh0strat
behavioral2/memory/4976-171-0x0000000002F50000-0x00000000030CB000-memory.dmp	family_gh0strat
behavioral2/memory/4976-191-0x0000000002F50000-0x00000000030CB000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

(电-子-发-票）.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ (电-子-发-票）.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	(电-子-发-票）.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

(电-子-发-票）.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	(电-子-发-票）.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	(电-子-发-票）.exe

Executes dropped EXE 1 IoCs

Processes:

LiveUpdate.exe

pid process

4976 LiveUpdate.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

(电-子-发-票）.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Wine (电-子-发-票）.exe
Loads dropped DLL 1 IoCs

Processes:

(电-子-发-票）.exe

pid process

2064 (电-子-发-票）.exe

pid	process
4976	LiveUpdate.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Wine	(电-子-发-票）.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Thunder\LiveUpdate.exe	upx
behavioral2/memory/4976-165-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-189-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-190-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-192-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-193-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-194-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-195-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-196-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-197-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-198-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-199-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-200-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-201-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-202-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-203-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/4976-204-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

LiveUpdate.exe

description	ioc	process
File opened (read-only)	\??\B:	LiveUpdate.exe
File opened (read-only)	\??\I:	LiveUpdate.exe
File opened (read-only)	\??\N:	LiveUpdate.exe
File opened (read-only)	\??\Q:	LiveUpdate.exe
File opened (read-only)	\??\W:	LiveUpdate.exe
File opened (read-only)	\??\J:	LiveUpdate.exe
File opened (read-only)	\??\O:	LiveUpdate.exe
File opened (read-only)	\??\V:	LiveUpdate.exe
File opened (read-only)	\??\X:	LiveUpdate.exe
File opened (read-only)	\??\Z:	LiveUpdate.exe
File opened (read-only)	\??\F:	LiveUpdate.exe
File opened (read-only)	\??\G:	LiveUpdate.exe
File opened (read-only)	\??\M:	LiveUpdate.exe
File opened (read-only)	\??\P:	LiveUpdate.exe
File opened (read-only)	\??\Y:	LiveUpdate.exe
File opened (read-only)	\??\U:	LiveUpdate.exe
File opened (read-only)	\??\E:	LiveUpdate.exe
File opened (read-only)	\??\H:	LiveUpdate.exe
File opened (read-only)	\??\K:	LiveUpdate.exe
File opened (read-only)	\??\L:	LiveUpdate.exe
File opened (read-only)	\??\R:	LiveUpdate.exe
File opened (read-only)	\??\S:	LiveUpdate.exe
File opened (read-only)	\??\T:	LiveUpdate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

(电-子-发-票）.exe

pid process

2064 (电-子-发-票）.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LiveUpdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LiveUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LiveUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

(电-子-发-票）.exeLiveUpdate.exe

pid	process
2064	(电-子-发-票）.exe
2064	(电-子-发-票）.exe
2064	(电-子-发-票）.exe
2064	(电-子-发-票）.exe
2064	(电-子-发-票）.exe
2064	(电-子-发-票）.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe
4976	LiveUpdate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

LiveUpdate.exe

description	pid	process
Token: 33	4976	LiveUpdate.exe
Token: SeIncBasePriorityPrivilege	4976	LiveUpdate.exe
Token: 33	4976	LiveUpdate.exe
Token: SeIncBasePriorityPrivilege	4976	LiveUpdate.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

(电-子-发-票）.exeLiveUpdate.exe

pid process

2064 (电-子-发-票）.exe
4976 LiveUpdate.exe
4976 LiveUpdate.exe

C:\Users\Admin\AppData\Local\Temp\(电-子-发-票）.exe
"C:\Users\Admin\AppData\Local\Temp\(电-子-发-票）.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2064

C:\ProgramData\Thunder\LiveUpdate.exe
C:\ProgramData\Thunder\LiveUpdate.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

5

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SqlVersion.dll
Filesize
1.8MB

MD5
317f9ff06c076e87e5b1d11242396d5f

SHA1
29868086fe5adb4b32c0216d953c419b596246c7

SHA256
0e10625daf43a3f4c67f2840ced29d535d0307148819c8ec73a7e76241e9f644

SHA512
ba2b12fc365fa232e6c96e1c8ebceb77bf9347fba2ffb4e3cee7d7be829cbab3cec17668cbf401b4904e5b831df3c6550821da1921f214166862dcc83ab44f07

Download Submit
C:\ProgramData\SqlVersion.dll
Filesize
1.8MB

MD5
317f9ff06c076e87e5b1d11242396d5f

SHA1
29868086fe5adb4b32c0216d953c419b596246c7

SHA256
0e10625daf43a3f4c67f2840ced29d535d0307148819c8ec73a7e76241e9f644

SHA512
ba2b12fc365fa232e6c96e1c8ebceb77bf9347fba2ffb4e3cee7d7be829cbab3cec17668cbf401b4904e5b831df3c6550821da1921f214166862dcc83ab44f07

Download Submit
C:\ProgramData\Thunder\LiveUpdate.dat
Filesize
23KB

MD5
f149d3f3ef0361ebe4d346811f29b527

SHA1
3f985657f0b93a58e9405d32eab4ee3957af12d2

SHA256
0929342683de55e572e11428b0cb545f6582c705c59655c0872589ae16043235

SHA512
331645f91cecb66fd8c04a26edc58d6e03ad44710b5b35161cbba3831e09855e02292ffb802d3a2c0ce1a4ecd9f301a580ff1d695ae06c7eda7d90ae72ef602c

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe
Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
C:\ProgramData\Thunder\Media.xml
Filesize
1.1MB

MD5
fd481828932e558a22651c092d8bc407

SHA1
0db0d90b2384197d4136643c11cc42091f2a4943

SHA256
b607ba991b27cf9551ffbf51b3e1f2c6a6a63d9748ac9d5c89c4f1b95f76bfa1

SHA512
934b78d80f88b2fe27bc2371b891c171852ceb465980e25bc96220edbd32cfd9e7057d59e3152a506baa862face14b7e1bc5221ce524c2845755c6f5b0514e61

Download Submit
C:\ProgramData\setting.ini
Filesize
14B

MD5
88cc3e3a35ac7a57a2d9b2632c7fc5f8

SHA1
67a04a547a9add726932e00447e1c6939f1639fb

SHA256
18739435f66131b1c596d73fada3d1219ea0a4f2d4ccee56573baef4161d5e43

SHA512
1c40fc3635b2117a1a970778a8dcc11ba97d77a34cbb43583a018e43c1648138a5f8aacaf4d1767deed0b0e39879476e0069a43506b93d19c4997a10b3060038

Download Submit
memory/2064-157-0x0000000074520000-0x00000000746E7000-memory.dmp

Filesize
1.8MB

Download
memory/2064-159-0x0000000074520000-0x00000000746E7000-memory.dmp

Filesize
1.8MB

Download
memory/4976-191-0x0000000002F50000-0x00000000030CB000-memory.dmp

Filesize
1.5MB

Download
memory/4976-194-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-168-0x0000000002F50000-0x00000000030CB000-memory.dmp

Filesize
1.5MB

Download
memory/4976-171-0x0000000002F50000-0x00000000030CB000-memory.dmp

Filesize
1.5MB

Download
memory/4976-189-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-190-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-165-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-192-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-193-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-166-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/4976-195-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-196-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-197-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-198-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-199-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-200-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-201-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-202-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-203-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4976-204-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads