gh0strat | 49bf9b104775088fe07e2f26ced8367189952df95575ad244a15fc593190f775

General

Target

0afaeef479f93bdc60bb639b18f60eca.exe
Size

95KB
MD5

0afaeef479f93bdc60bb639b18f60eca
SHA1

6e3c3d58bf88f80242c720c66fb93115e138724a
SHA256

49bf9b104775088fe07e2f26ced8367189952df95575ad244a15fc593190f775
SHA512

1718225859f9ed5b92c08e9664e7fca9b08f2047bf85e9dc2e32f230318dd56f297508c93adc1cf269b5371c985994b029d74e418091cf563d5810e964ce5d06
SSDEEP

1536:KFFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr9bwLFk0D6A:KLS4jHS8q/3nTzePCwNUh4E92Fk0uA

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/808-16-0x0000000000400000-0x000000000044E5F0-memory.dmp	family_gh0strat
behavioral1/files/0x00080000000155fd-19.dat	family_gh0strat
behavioral1/files/0x00080000000155fd-20.dat	family_gh0strat
behavioral1/memory/808-21-0x0000000000400000-0x000000000044E5F0-memory.dmp	family_gh0strat
behavioral1/memory/808-22-0x0000000000400000-0x000000000044E5F0-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
808	gtihbnjsmr

Executes dropped EXE 1 IoCs

pid	Process
808	gtihbnjsmr

Loads dropped DLL 3 IoCs

pid	Process
3064	0afaeef479f93bdc60bb639b18f60eca.exe
3064	0afaeef479f93bdc60bb639b18f60eca.exe
1960	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hxcjxgnphv	svchost.exe
File created	C:\Windows\SysWOW64\hgqcgjqntq	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
808	gtihbnjsmr
1960	svchost.exe
1960	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	808	gtihbnjsmr
Token: SeBackupPrivilege	808	gtihbnjsmr
Token: SeBackupPrivilege	808	gtihbnjsmr
Token: SeRestorePrivilege	808	gtihbnjsmr
Token: SeBackupPrivilege	1960	svchost.exe
Token: SeRestorePrivilege	1960	svchost.exe
Token: SeBackupPrivilege	1960	svchost.exe
Token: SeBackupPrivilege	1960	svchost.exe
Token: SeSecurityPrivilege	1960	svchost.exe
Token: SeSecurityPrivilege	1960	svchost.exe
Token: SeBackupPrivilege	1960	svchost.exe
Token: SeBackupPrivilege	1960	svchost.exe
Token: SeSecurityPrivilege	1960	svchost.exe
Token: SeBackupPrivilege	1960	svchost.exe
Token: SeBackupPrivilege	1960	svchost.exe
Token: SeSecurityPrivilege	1960	svchost.exe
Token: SeBackupPrivilege	1960	svchost.exe
Token: SeRestorePrivilege	1960	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 808	3064	0afaeef479f93bdc60bb639b18f60eca.exe	28
PID 3064 wrote to memory of 808	3064	0afaeef479f93bdc60bb639b18f60eca.exe	28
PID 3064 wrote to memory of 808	3064	0afaeef479f93bdc60bb639b18f60eca.exe	28
PID 3064 wrote to memory of 808	3064	0afaeef479f93bdc60bb639b18f60eca.exe	28

C:\Users\Admin\AppData\Local\Temp\0afaeef479f93bdc60bb639b18f60eca.exe
"C:\Users\Admin\AppData\Local\Temp\0afaeef479f93bdc60bb639b18f60eca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064
- \??\c:\users\admin\appdata\local\gtihbnjsmr
  "C:\Users\Admin\AppData\Local\Temp\0afaeef479f93bdc60bb639b18f60eca.exe" a -sc:\users\admin\appdata\local\temp\0afaeef479f93bdc60bb639b18f60eca.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gtihbnjsmr

Filesize
92KB

MD5
86dd31907042310a3be4c1c621b46864

SHA1
9b3f40bebd693cad471854141d220f5d7e149a24

SHA256
9d688b09be98e3d145c31ec0406570382c61245a9d4456fd8d04d7d61b34b1ed

SHA512
6df102e71bcce545fbdaacdda3294e865af6cfb4e809b92286f0a3a97fb64cb843935fb0b894a7dd9a587c8ad086497300701861166a46010379c261514f2857

Download Submit
C:\Users\Admin\AppData\Local\gtihbnjsmr

Filesize
236KB

MD5
e6612d877e554dd7b9819c2ecb72c38e

SHA1
4874deaf998cb1845fa490323ebe71e75abe404f

SHA256
704089ed18a0a296fdf3caa8d91b1794a93917d3e1e486d3293a359588bd240c

SHA512
49983b24d00f83196b810317257aa17fa240d145d867a70802ae2108dab5910913009606f551cd16c3283d3fd4749e26c578466837a4c726635636527bb6852b

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\gcmul.cc3

Filesize
92KB

MD5
f50916b5dfc5e14fc4ad68561cae04e9

SHA1
87692c43a3d42fbf394beb1fd4e4197373012a49

SHA256
3145647b3e5abd701f316db51d20490d984f2c6484168a3660aa718cb9dd7c9d

SHA512
19b4550677ac350c2771cc99280bf3e8555131df2f5e184bc68a624c45c393b8655a0ff3ac73992b8e3bd0cc7dbfc7a8613461cf720bbfe5487899e9e73b3d3b

Download Submit
\Users\Admin\AppData\Local\gtihbnjsmr

Filesize
1.6MB

MD5
e3bd46d095b4ab40befdd14e79a4a230

SHA1
ca07c88dfa74a93d0c6a0d0c4c4651e073a5b0df

SHA256
738c979d787fdad5694b1b5fa7c878d2d3a801e81b4a1c1a00bfe4b02b9eb864

SHA512
a69d9a2f1ea132a96f5eb34254ea27824b5074479b12d5c9cdba0e0d3a3f32c7b1ed563c4e4ab2b1d56229029c932f100ecf8ca0c87e9cd4d6314985afd8878a

Download Submit
\Users\Admin\AppData\Local\gtihbnjsmr

Filesize
579KB

MD5
c8a1e4feb33cbfa965be9080b8689d7b

SHA1
fe2ded2ceb4331369384a057c24e22402436b0fc

SHA256
151dfb4aa22baea836c5fa06f5497f14fb74f2ae37c9692edb88b5973554642b

SHA512
c1b5a81f146dac808745e2ae453b8bdac0d7cf472e5b5d5f42b4cc5e5d70f8d1fd350dab877cf778ec31a7e0af08707fb6dba7e44beef38b51be9db460d92db1

Download Submit
memory/808-16-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/808-13-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/808-15-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/808-21-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/808-22-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/1960-24-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3064-11-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/3064-0-0x0000000000400000-0x000000000044E5F0-memory.dmp

Filesize
313KB

Download
memory/3064-6-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads