gh0strat | 26cf8c53b438bd1329b6b45f9b6fb146458c889a4e5dbcd88e4cf393c4676cee

General

Target

6bfaf13f199eea66483a44878dd5a646.exe
Size

96KB
MD5

6bfaf13f199eea66483a44878dd5a646
SHA1

03b73d5de0bb7fc3d5ec5c70b32a66f73db5583b
SHA256

26cf8c53b438bd1329b6b45f9b6fb146458c889a4e5dbcd88e4cf393c4676cee
SHA512

eef57fd4e021b5005699e7cba367377c0ee0b051a2fc66c28fb8dc78704838df6ce0002c8d8a41ac6942ee1724ece8b7e53640bc9c54a385859092104042a2f5
SSDEEP

1536:B5FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prnRJiCTSv7ZU:BvS4jHS8q/3nTzePCwNUh4E9zi/zZU

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/1788-21-0x0000000000400000-0x000000000044E30C-memory.dmp	family_gh0strat
behavioral1/files/0x0030000000015cdd-25.dat	family_gh0strat
behavioral1/files/0x0030000000015cdd-26.dat	family_gh0strat
behavioral1/memory/1788-27-0x0000000000400000-0x000000000044E30C-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1788	huuqkjdoqc

Executes dropped EXE 1 IoCs

pid	Process
1788	huuqkjdoqc

Loads dropped DLL 3 IoCs

pid	Process
2876	6bfaf13f199eea66483a44878dd5a646.exe
2876	6bfaf13f199eea66483a44878dd5a646.exe
284	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\trpjwoilto	svchost.exe
File created	C:\Windows\SysWOW64\tobtmcioip	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1788	huuqkjdoqc
284	svchost.exe
284	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	1788	huuqkjdoqc
Token: SeBackupPrivilege	1788	huuqkjdoqc
Token: SeBackupPrivilege	1788	huuqkjdoqc
Token: SeRestorePrivilege	1788	huuqkjdoqc
Token: SeBackupPrivilege	284	svchost.exe
Token: SeRestorePrivilege	284	svchost.exe
Token: SeBackupPrivilege	284	svchost.exe
Token: SeBackupPrivilege	284	svchost.exe
Token: SeSecurityPrivilege	284	svchost.exe
Token: SeSecurityPrivilege	284	svchost.exe
Token: SeBackupPrivilege	284	svchost.exe
Token: SeBackupPrivilege	284	svchost.exe
Token: SeSecurityPrivilege	284	svchost.exe
Token: SeBackupPrivilege	284	svchost.exe
Token: SeBackupPrivilege	284	svchost.exe
Token: SeSecurityPrivilege	284	svchost.exe
Token: SeBackupPrivilege	284	svchost.exe
Token: SeRestorePrivilege	284	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1788	2876	6bfaf13f199eea66483a44878dd5a646.exe	27
PID 2876 wrote to memory of 1788	2876	6bfaf13f199eea66483a44878dd5a646.exe	27
PID 2876 wrote to memory of 1788	2876	6bfaf13f199eea66483a44878dd5a646.exe	27
PID 2876 wrote to memory of 1788	2876	6bfaf13f199eea66483a44878dd5a646.exe	27

C:\Users\Admin\AppData\Local\Temp\6bfaf13f199eea66483a44878dd5a646.exe
"C:\Users\Admin\AppData\Local\Temp\6bfaf13f199eea66483a44878dd5a646.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- \??\c:\users\admin\appdata\local\huuqkjdoqc
  "C:\Users\Admin\AppData\Local\Temp\6bfaf13f199eea66483a44878dd5a646.exe" a -sc:\users\admin\appdata\local\temp\6bfaf13f199eea66483a44878dd5a646.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\huuqkjdoqc

Filesize
20.9MB

MD5
c5bcbb2bac20a31037c4a16ed7a91eb6

SHA1
c827cf030b68eae17e90c9e90787f1987ee24874

SHA256
76e1891e84306214d3856894fe70bf432b2c1db987c2c76705af380d722a474e

SHA512
9ba8850805135f1a0304663a492898a133ec155e1e488b1322119a2aab8fb853e4fdbf7ed178066d1b6e28aeb49cafbe91b701731fa55df455d76059c6d4c8a5

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\tjhcj.cc3

Filesize
8.1MB

MD5
0b541020496d67556a81228ce84c2bae

SHA1
e1bc93406c3d5da11b81e39a0c81026edb7de7cf

SHA256
a908cc15aa2688e908adad3bfd887b8636cf0c705418ec71bdcae78137ad8f81

SHA512
4a81a0c1d1646f82ccd28fb3936862af7c3d02591a55dd2892fbdb000316f37c430daa3abe025f7a27dc96cfdfda7a00774d564a15a528ff6f025d7b3ff4fcf5

Download Submit
\ProgramData\Storm\update\%SESSIONNAME%\tjhcj.cc3

Filesize
9.1MB

MD5
a2b87a7cf431448c83d0bab9074c7b2b

SHA1
58cd0582ae47585f4c9128d56dbe4e904f2e07b4

SHA256
37cf0d134e2cbd93dc560fb41f79c06d7befd0efbf98fc5254a24f71a53f404f

SHA512
25992ebaebb37e94ef65007ca1ccbb939810ad3a6468f8b1d6f839807a0b42e31cbf8f870f6adc68e0ec9f381112c4bcd75ac7d83b7a97aebfe1e02fb700f783

Download Submit
\Users\Admin\AppData\Local\huuqkjdoqc

Filesize
3.6MB

MD5
31da2f42a127eea642b45bef454d0e36

SHA1
3aed68aba5fa955dc275c529ead0b8bdcc438a46

SHA256
84d2def8f0b6339fa546bb8e5c9e4867afe7479299f452a664fea3631d983bd5

SHA512
c594275360995ab67119e2e0c065cbf4e74457a350941676d920b01b093faed32ab63bee80fc79c3c3f1e3daabd66d9981d39e2c575e36a0363d7b6a903250a9

Download Submit
\Users\Admin\AppData\Local\huuqkjdoqc

Filesize
17.0MB

MD5
2d4278d41b2569e7ed0dc77dbc05c058

SHA1
d8b060452bf8a85774a6e824ff84b6eb337ad91d

SHA256
e66cfa10f554d182086fcd7d9620147c14a371cf8510ddec47bfb63b900dac36

SHA512
b354fd2e9422ec89d8346289370f5102b413a1f34a6e1acaea7f8127469f49e4140a5e52ee94282e749e6ca6c9d1d16a0a2489f0da7adb7d70981de09aab0889

Download Submit
memory/284-28-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1788-16-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/1788-18-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1788-19-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/1788-21-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/1788-27-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/2876-14-0x0000000000270000-0x00000000002BF000-memory.dmp

Filesize
316KB

Download
memory/2876-1-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/2876-8-0x0000000000270000-0x00000000002BF000-memory.dmp

Filesize
316KB

Download
memory/2876-4-0x0000000000400000-0x000000000044E30C-memory.dmp

Filesize
312KB

Download
memory/2876-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads