gh0strat | fe37f090254ebab9e1a5fefcc7367ac16617e24f8819f31cf07f301adb498677

General

Target

fe37f090254ebab9e1a5fefcc7367ac16617e24f8819f31cf07f301adb498677.dll
Size

2.1MB
MD5

af282cb1792f5e49af47dd0052312241
SHA1

3880a89bfeaf8eeb1cac5c75d5466ddbbe19e5ab
SHA256

fe37f090254ebab9e1a5fefcc7367ac16617e24f8819f31cf07f301adb498677
SHA512

e036ece3e7574fc27aec635dfe7e9206cd98de5b1eda969734628d93f3b32e79461288f9adc4e36559fe4bfba77f4724480bf766f973227f9f08962d45fa9c67
SSDEEP

49152:xVsHNVFXUhKspt22fq6AFbTj1uj53f/S:DINVFXyKspxqpFbTBsf

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1492-12-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/1492-13-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/1492-16-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/1492-18-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/1492-28-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2388	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1492	svchoat.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	rundll32.exe
2388	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchoat.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\svchoat.exe	rundll32.exe
File created	C:\Windows\SysWOW64\29DF5D8A	svchoat.exe
File opened for modification	C:\Windows\SysWOW64\29DF5D8A	svchoat.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchoat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchoat.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1492	svchoat.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2388	rundll32.exe
2388	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2388	2348	rundll32.exe	28
PID 2348 wrote to memory of 2388	2348	rundll32.exe	28
PID 2348 wrote to memory of 2388	2348	rundll32.exe	28
PID 2348 wrote to memory of 2388	2348	rundll32.exe	28
PID 2348 wrote to memory of 2388	2348	rundll32.exe	28
PID 2348 wrote to memory of 2388	2348	rundll32.exe	28
PID 2348 wrote to memory of 2388	2348	rundll32.exe	28
PID 2388 wrote to memory of 1492	2388	rundll32.exe	29
PID 2388 wrote to memory of 1492	2388	rundll32.exe	29
PID 2388 wrote to memory of 1492	2388	rundll32.exe	29
PID 2388 wrote to memory of 1492	2388	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe37f090254ebab9e1a5fefcc7367ac16617e24f8819f31cf07f301adb498677.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe37f090254ebab9e1a5fefcc7367ac16617e24f8819f31cf07f301adb498677.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\svchoat.exe
    C:\Windows\SysWOW64\svchoat.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svchoat.exe

Filesize
192KB

MD5
77df692c66b02de46e4bda5f90a1c284

SHA1
cdf332215762be4f2b2db79a6e57a80b4214a573

SHA256
cf829e39ff06c2ea9475c9b900f1dc81fea40dfe3a92f0109dbf09f746ba175b

SHA512
23c3b58697905bab64480135bc07da01573337dce0bb56b4799a365fc88a576eeaaf2d7037ca8314fa61cfda3a6c514c23ab6a0a4575ebf4fdd8a9c54708c607

Download Submit
C:\Windows\SysWOW64\svchoat.exe

Filesize
192KB

MD5
77df692c66b02de46e4bda5f90a1c284

SHA1
cdf332215762be4f2b2db79a6e57a80b4214a573

SHA256
cf829e39ff06c2ea9475c9b900f1dc81fea40dfe3a92f0109dbf09f746ba175b

SHA512
23c3b58697905bab64480135bc07da01573337dce0bb56b4799a365fc88a576eeaaf2d7037ca8314fa61cfda3a6c514c23ab6a0a4575ebf4fdd8a9c54708c607

Download Submit
C:\Windows\SysWOW64\svchoat.exe

Filesize
192KB

MD5
77df692c66b02de46e4bda5f90a1c284

SHA1
cdf332215762be4f2b2db79a6e57a80b4214a573

SHA256
cf829e39ff06c2ea9475c9b900f1dc81fea40dfe3a92f0109dbf09f746ba175b

SHA512
23c3b58697905bab64480135bc07da01573337dce0bb56b4799a365fc88a576eeaaf2d7037ca8314fa61cfda3a6c514c23ab6a0a4575ebf4fdd8a9c54708c607

Download Submit
\Windows\SysWOW64\svchoat.exe

Filesize
192KB

MD5
77df692c66b02de46e4bda5f90a1c284

SHA1
cdf332215762be4f2b2db79a6e57a80b4214a573

SHA256
cf829e39ff06c2ea9475c9b900f1dc81fea40dfe3a92f0109dbf09f746ba175b

SHA512
23c3b58697905bab64480135bc07da01573337dce0bb56b4799a365fc88a576eeaaf2d7037ca8314fa61cfda3a6c514c23ab6a0a4575ebf4fdd8a9c54708c607

Download Submit
\Windows\SysWOW64\svchoat.exe

Filesize
192KB

MD5
77df692c66b02de46e4bda5f90a1c284

SHA1
cdf332215762be4f2b2db79a6e57a80b4214a573

SHA256
cf829e39ff06c2ea9475c9b900f1dc81fea40dfe3a92f0109dbf09f746ba175b

SHA512
23c3b58697905bab64480135bc07da01573337dce0bb56b4799a365fc88a576eeaaf2d7037ca8314fa61cfda3a6c514c23ab6a0a4575ebf4fdd8a9c54708c607

Download Submit
memory/1492-10-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1492-12-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1492-13-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1492-16-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1492-18-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/1492-28-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/2388-2-0x0000000002180000-0x0000000002287000-memory.dmp

Filesize
1.0MB

Download
memory/2388-21-0x0000000002180000-0x0000000002287000-memory.dmp

Filesize
1.0MB

Download
memory/2388-27-0x0000000002180000-0x0000000002287000-memory.dmp

Filesize
1.0MB

Download
memory/2388-29-0x0000000002180000-0x0000000002287000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads