gh0strat | 02d06fdca8fb779ebc10df2d2aab7e56cd6c512ee743ac29c463cbeb084d620c

General

Target

20f9afa820f1c7020273ad4e3ae2dd09.exe
Size

204KB
MD5

20f9afa820f1c7020273ad4e3ae2dd09
SHA1

05ed7a52956a171588b09108476274433af5646f
SHA256

02d06fdca8fb779ebc10df2d2aab7e56cd6c512ee743ac29c463cbeb084d620c
SHA512

144fe021d16b2f5676d0a841c4474baf2aef78b978ad32d7deb0af51ab51a561e3a44db1371b6f43268d94db9af4ad78b56c7bb96ed76821b9f2757fa25b7c4f
SSDEEP

3072:frBaHAhAtPf6BWHWVXhqPEzO/V1VrNYQkCA+HFSWvF3TBftEnob2RI:DuAh/WHv9DNYtEHhvF3TBlEnob/

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 7 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225a-2.dat	family_gh0strat
behavioral1/files/0x000a00000001225a-9.dat	family_gh0strat
behavioral1/files/0x000a00000001225a-8.dat	family_gh0strat
behavioral1/files/0x000a00000001225a-6.dat	family_gh0strat
behavioral1/files/0x000a00000001225a-4.dat	family_gh0strat
behavioral1/memory/2168-23-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/files/0x00070000000155e6-21.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2168	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
1604	20f9afa820f1c7020273ad4e3ae2dd09.exe
1604	20f9afa820f1c7020273ad4e3ae2dd09.exe
2168	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yjsoft.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\yjsoft.ini	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\alg.exe	svchost.exe
File opened for modification	C:\windows\alg.exe	svchost.exe
File created	C:\Windows\Sys.VBS	svchost.exe
File created	C:\WINDOWS\FF13.exe	svchost.exe
File created	C:\WINDOWS\FF12.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe
2168	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	svchost.exe
Token: SeDebugPrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe
Token: SeBackupPrivilege	2168	svchost.exe
Token: SeRestorePrivilege	2168	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2168	1604	20f9afa820f1c7020273ad4e3ae2dd09.exe	28
PID 1604 wrote to memory of 2168	1604	20f9afa820f1c7020273ad4e3ae2dd09.exe	28
PID 1604 wrote to memory of 2168	1604	20f9afa820f1c7020273ad4e3ae2dd09.exe	28
PID 1604 wrote to memory of 2168	1604	20f9afa820f1c7020273ad4e3ae2dd09.exe	28
PID 2168 wrote to memory of 2856	2168	svchost.exe	29
PID 2168 wrote to memory of 2856	2168	svchost.exe	29
PID 2168 wrote to memory of 2856	2168	svchost.exe	29
PID 2168 wrote to memory of 2856	2168	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\20f9afa820f1c7020273ad4e3ae2dd09.exe
"C:\Users\Admin\AppData\Local\Temp\20f9afa820f1c7020273ad4e3ae2dd09.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Sys.VBS"
    3⤵
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
23KB

MD5
9e7cd9b58f2b7ba26cc9cabd10040013

SHA1
085d60f1ad4c497ef1cba338e6c9a347f30bf75d

SHA256
73a423aa99acda04d622a98c8fefb8a41cdd2dff1a75a13e0355055274784121

SHA512
ee757c656d59103cf8778ba2f00b495c11c2809519fe6c141815b22dfd70d5d87c6f21b75ec473abf6b1a3dde383b7a712dda29c9e8bc6b4cdfd064256eb3d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
92KB

MD5
45203f8c37e829b694d93b6564636b0e

SHA1
fc62fd0148214f4d7e42b688595481b0945ba045

SHA256
e4561679488a30139bc85655068128b867d8cf85440971d6cd432e0500cdd68b

SHA512
ab2e75e92b623f660132b49db92ab87f6a3116dc674d6ece9b81610dbbd6250856581047f59e599725a75d7b3216bd0d13b50f466a54ffb49d502f91f51a23fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
320KB

MD5
aeb5cfb52ae15c51eca02c93f440e91c

SHA1
3b0339874ae04deec3d8105a38f7682e3d1e40ca

SHA256
89d0c29e9b34642de4211a495c042b41efcc8da31e9daafba962eeaa5f07f1d5

SHA512
6730e3787251c4ecd182c07beb6e4cda2444d3e4483ebfe72174a0cfe67de38bae66bdb7d5e54038ca729fbab0e75e9ad6b4c3632dafcfcfeac86b326993dbaa

Download Submit
C:\Windows\Sys.VBS

Filesize
1KB

MD5
e5baac34de9a9068a0c901392f21efe5

SHA1
77f9cb2be96bfbf4e0eefb27b759faeb13b50b29

SHA256
7fa5d6fb181d48105524c2836db0671faf8454d7236a74b434075ce64b52a7a9

SHA512
dac036e3136abdb14c799b52f91ccfa39699943b980276d563072d63a5bbd5fdf975cdce04f1df832d8a19735231a7ed9a52eddff2b6f2cc47b4b8a1aa62f374

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
330KB

MD5
c7cb96c99de07c33abcdba4654e24bca

SHA1
deaca7527075a9300c800c046b5f3a3330f03fd7

SHA256
b8cd825c71f8e924e76bd9d99923c96e61cae3bef008ee68d2d041d0fa11e061

SHA512
8a3416e7a9bb152a89fb5b0889879bc0ab2be79596669667abac2e5d138ffac73c61fa53fc49687998387c2558655ca8fc9d3f4ef3880f5763f1bd3626ffbefc

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
567KB

MD5
2c76be2f76551491a72b7c60c284ddbb

SHA1
8503c25e39d90a9e6b7fab1889b1bd02b22e409c

SHA256
64d7b980bc68202c3d416c692793f7a9d534958dc190e64c9ef6f3b4b22c2173

SHA512
72e44bec7cab473135dd138f14f9d50508fcfa9a4d2e2273fd29af1c6521f4da953a1885b6a29d2e595201d5417f9d10ad430179b7369797a6a4c37a073fb072

Download Submit
\Windows\SysWOW64\yjsoft.ini

Filesize
383KB

MD5
61812b000e6ec05978af9541b7972f6c

SHA1
eb06a9eb6b887b90f72dfa24590375cef44b8257

SHA256
3ed115bd39cf865136cac8cf6b935d2700c631f6ee34a060975e62f0a3ac4374

SHA512
2dc9a6436151faffdf783c0897b180a4fe8b12bc72d6f27aa6e3c895a66bf3a01c455e81ad93642209cdcd4bbeed93aa02ababee507976506aabba5e915677ab

Download Submit
memory/2168-23-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2168-25-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads