gh0strat | 46d069cc231a23eb2bd36e67f85e9c91de37e6764217c2d1fcb94feb585a1ce5

General

Target

252ff69fed43aab45dafaefb6298c440.exe
Size

201KB
MD5

252ff69fed43aab45dafaefb6298c440
SHA1

444740ad8e110814cbf79f8d504644ee4cf4f9e7
SHA256

46d069cc231a23eb2bd36e67f85e9c91de37e6764217c2d1fcb94feb585a1ce5
SHA512

833f1cd6b181471b54b9a127d9b6857c295a55623ee26071c792445b8fc8bb44f2bfc19a538cf5b8f4ff0fb1ae67aec04b1036623345f88dc1f5f3957c265aa2
SSDEEP

3072:5smn0aIOqzY54nqSioDXx4uE9w2qbpUeZPgrQ/O/46ZSM8dmVnH:Ow0aIOqzeSiod4uYzqNvZd/246Zgmp

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2532-17-0x0000000000400000-0x0000000000432200-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2532	hfmtvkihpo

Executes dropped EXE 1 IoCs

pid	Process
2532	hfmtvkihpo

Loads dropped DLL 3 IoCs

pid	Process
2144	252ff69fed43aab45dafaefb6298c440.exe
2144	252ff69fed43aab45dafaefb6298c440.exe
2124	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kftsrphdnx	svchost.exe
File created	C:\Windows\SysWOW64\kvtflmogto	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2532	hfmtvkihpo
2124	svchost.exe
2124	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2532	hfmtvkihpo
Token: SeBackupPrivilege	2532	hfmtvkihpo
Token: SeBackupPrivilege	2532	hfmtvkihpo
Token: SeRestorePrivilege	2532	hfmtvkihpo
Token: SeBackupPrivilege	2124	svchost.exe
Token: SeRestorePrivilege	2124	svchost.exe
Token: SeBackupPrivilege	2124	svchost.exe
Token: SeBackupPrivilege	2124	svchost.exe
Token: SeSecurityPrivilege	2124	svchost.exe
Token: SeSecurityPrivilege	2124	svchost.exe
Token: SeBackupPrivilege	2124	svchost.exe
Token: SeBackupPrivilege	2124	svchost.exe
Token: SeSecurityPrivilege	2124	svchost.exe
Token: SeBackupPrivilege	2124	svchost.exe
Token: SeBackupPrivilege	2124	svchost.exe
Token: SeSecurityPrivilege	2124	svchost.exe
Token: SeBackupPrivilege	2124	svchost.exe
Token: SeRestorePrivilege	2124	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2532	2144	252ff69fed43aab45dafaefb6298c440.exe	28
PID 2144 wrote to memory of 2532	2144	252ff69fed43aab45dafaefb6298c440.exe	28
PID 2144 wrote to memory of 2532	2144	252ff69fed43aab45dafaefb6298c440.exe	28
PID 2144 wrote to memory of 2532	2144	252ff69fed43aab45dafaefb6298c440.exe	28

C:\Users\Admin\AppData\Local\Temp\252ff69fed43aab45dafaefb6298c440.exe
"C:\Users\Admin\AppData\Local\Temp\252ff69fed43aab45dafaefb6298c440.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144
- \??\c:\users\admin\appdata\local\hfmtvkihpo
  "C:\Users\Admin\AppData\Local\Temp\252ff69fed43aab45dafaefb6298c440.exe" a -sc:\users\admin\appdata\local\temp\252ff69fed43aab45dafaefb6298c440.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2144-0-0x0000000000400000-0x0000000000432200-memory.dmp

Filesize
200KB

Download
memory/2144-11-0x0000000000400000-0x0000000000432200-memory.dmp

Filesize
200KB

Download
memory/2144-4-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2532-12-0x0000000000400000-0x0000000000432200-memory.dmp

Filesize
200KB

Download
memory/2532-17-0x0000000000400000-0x0000000000432200-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads