gh0strat | a915f8bec41c30c7e93b2170187f0888aec0efd3a16eacb4b466aa70fcf5e59d

General

Target

1f8ef14121f87dc3c1f0fe50da2642b0.exe
Size

95KB
MD5

1f8ef14121f87dc3c1f0fe50da2642b0
SHA1

7d291795e2f6aba675fedaf16f3381b1a576c63c
SHA256

a915f8bec41c30c7e93b2170187f0888aec0efd3a16eacb4b466aa70fcf5e59d
SHA512

90ae368bf91a7899cbd6a90a8f261d6a61c46dae7ec06ce3a07c5997c12dcb6b33b674ea46edf9a5fadb6b96bd6d9be21f42bb3bc859f738056edb0429d034b1
SSDEEP

1536:SYFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prFm2d11C:SKS4jHS8q/3nTzePCwNUh4E9Fm2d11C

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013a3f-20.dat	family_gh0strat
behavioral1/files/0x000c000000013a3f-19.dat	family_gh0strat
behavioral1/memory/3052-21-0x0000000000400000-0x000000000044E478-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
3052	ijpiulccxi

Executes dropped EXE 1 IoCs

pid	Process
3052	ijpiulccxi

Loads dropped DLL 3 IoCs

pid	Process
2980	1f8ef14121f87dc3c1f0fe50da2642b0.exe
2980	1f8ef14121f87dc3c1f0fe50da2642b0.exe
2820	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xjjaeyfppl	svchost.exe
File created	C:\Windows\SysWOW64\xvcxdnufth	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3052	ijpiulccxi
2820	svchost.exe
2820	svchost.exe
2820	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	3052	ijpiulccxi
Token: SeBackupPrivilege	3052	ijpiulccxi
Token: SeBackupPrivilege	3052	ijpiulccxi
Token: SeRestorePrivilege	3052	ijpiulccxi
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeRestorePrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeRestorePrivilege	2820	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3052	2980	1f8ef14121f87dc3c1f0fe50da2642b0.exe	28
PID 2980 wrote to memory of 3052	2980	1f8ef14121f87dc3c1f0fe50da2642b0.exe	28
PID 2980 wrote to memory of 3052	2980	1f8ef14121f87dc3c1f0fe50da2642b0.exe	28
PID 2980 wrote to memory of 3052	2980	1f8ef14121f87dc3c1f0fe50da2642b0.exe	28

C:\Users\Admin\AppData\Local\Temp\1f8ef14121f87dc3c1f0fe50da2642b0.exe
"C:\Users\Admin\AppData\Local\Temp\1f8ef14121f87dc3c1f0fe50da2642b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980
- \??\c:\users\admin\appdata\local\ijpiulccxi
  "C:\Users\Admin\AppData\Local\Temp\1f8ef14121f87dc3c1f0fe50da2642b0.exe" a -sc:\users\admin\appdata\local\temp\1f8ef14121f87dc3c1f0fe50da2642b0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\application data\storm\update\%sessionname%\vwpqu.cc3

Filesize
107KB

MD5
4af642ff1cc13575ad74b21aaa608a9c

SHA1
c7c1bef68831038cb39c4f51e13c8490b220b184

SHA256
5a866a62b8c35f94f8a69446d352a875c9895d1db0ab414177be26ca5f9abaf0

SHA512
051f8e162bf35b3b1eede556b2c1c098bf71c27eea365628b8c9856541d4cd850699a3377313e0243302378ffd75711b1b48ae900054f0599bac56a74016b7b3

Download Submit
\??\c:\users\admin\appdata\local\ijpiulccxi

Filesize
45KB

MD5
7af1716174d8ea1507da23bb32590418

SHA1
1f05ba72e28625f9bd4759c34913f6ed2364eb63

SHA256
35ede85e99df5bf8c745b99c3d9b9bbb45af9854a79248f6987d5fddeaa1182b

SHA512
3602947f5bd7d34d2f9622567f7d1cc3eed579950e72b680ce425fa24bfe635581e964979fb1c6fb4e5aa46e414531d9bb64ab548cf999db98c3949c6ce4ce26

Download Submit
\ProgramData\Storm\update\%SESSIONNAME%\vwpqu.cc3

Filesize
96KB

MD5
d62a3cdfe29a14a9ba06ddc178d9ae4c

SHA1
7f4afcee46ea1051ac7e3e3cda352177c3848f91

SHA256
2e88bf907f75c789718fd42a6e1b6f3ca073799e77c822d0513c41232b7fc2d0

SHA512
73df52170c46173e239d915930ab722253568a6c76dd7afef7e901c8b431e49bcf37057f325fb64975f77a6abf0ac7891e07e9586775ad64b696f429d9777ca8

Download Submit
\Users\Admin\AppData\Local\ijpiulccxi

Filesize
647KB

MD5
8bc49c00c9b5ba1659d93e2670ee7464

SHA1
1b3aca532c1a274d258eaa8f1a0502c4e7aaa121

SHA256
27aa925c8db5a1ddf398802ac0a689819a80059195494b74cd1ea2eff9079839

SHA512
c0f0b50c6af93f7d7f38eb64705d32bd56b03316e2df6df1eb9ae804171f1bdfbf03279f839e128004b3516c8833e3fd75bc25b0bd6033e309620b3d4b1b6c8c

Download Submit
\Users\Admin\AppData\Local\ijpiulccxi

Filesize
122KB

MD5
1c5520117f14fad54adbfb8689dda5db

SHA1
a4ab47ca8abcd0dabd337ec2bfc616190f6a2263

SHA256
3c519a38f79be2b9050d3b6bc18e343f8806bc36ed53be62435b3c54acc1a161

SHA512
e9c3bb20ac26095924dcddacd7ae2fddbd06d900930c3b777b6adcdb89041236abecf263ec6c49bc11045ffbe5c4991a6fdcd6c006db26d94dee7e61051c792b

Download Submit
memory/2820-22-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2980-14-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/2980-12-0x0000000000400000-0x000000000044E478-memory.dmp

Filesize
313KB

Download
memory/2980-6-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/2980-0-0x0000000000400000-0x000000000044E478-memory.dmp

Filesize
313KB

Download
memory/2980-23-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/3052-15-0x0000000000400000-0x000000000044E478-memory.dmp

Filesize
313KB

Download
memory/3052-16-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/3052-21-0x0000000000400000-0x000000000044E478-memory.dmp

Filesize
313KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads