gh0strat | df623b000d3c8ce0001450f34630d3b6a8c9793cfb3b95fcdf638751e83fd308

General

Target

1a425c5603c76007a5935a3036d884b8.exe
Size

192KB
MD5

1a425c5603c76007a5935a3036d884b8
SHA1

cad18af6cfbc3b8b9508316f7e1c02e3aa8ba4a3
SHA256

df623b000d3c8ce0001450f34630d3b6a8c9793cfb3b95fcdf638751e83fd308
SHA512

347ba6b40addc48c673513887e4765c64c1c8a59e3678363a6ebc32d5d34ad9ed9aeac68d67645c06c83bac804fd00d62204263472f467a310542ec4004e3cb2
SSDEEP

3072:BVmshbnWBsdZCSf2JZdXs9k7u7nTsB2cyrda97eXMKQWzjLFFH9IKF5nivytqHmM:+sBnWBsdZCs4Zdp784gcyrJpQ7c

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0035000000016cd3-9.dat	family_gh0strat
behavioral1/files/0x0035000000016cd3-10.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2496	fuwmdl

Executes dropped EXE 1 IoCs

pid	Process
2496	fuwmdl

Loads dropped DLL 2 IoCs

pid	Process
2196	1a425c5603c76007a5935a3036d884b8.exe
2416	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hmvgwjkghk	svchost.exe
File created	C:\Windows\SysWOW64\hujyfmmduf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\feckk.biz	fuwmdl

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	svchost.exe
2416	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2196	1a425c5603c76007a5935a3036d884b8.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2496	fuwmdl
Token: SeBackupPrivilege	2496	fuwmdl
Token: SeBackupPrivilege	2496	fuwmdl
Token: SeRestorePrivilege	2496	fuwmdl
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeRestorePrivilege	2416	svchost.exe
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeSecurityPrivilege	2416	svchost.exe
Token: SeSecurityPrivilege	2416	svchost.exe
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeSecurityPrivilege	2416	svchost.exe
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeSecurityPrivilege	2416	svchost.exe
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeRestorePrivilege	2416	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2496	2196	1a425c5603c76007a5935a3036d884b8.exe	28
PID 2196 wrote to memory of 2496	2196	1a425c5603c76007a5935a3036d884b8.exe	28
PID 2196 wrote to memory of 2496	2196	1a425c5603c76007a5935a3036d884b8.exe	28
PID 2196 wrote to memory of 2496	2196	1a425c5603c76007a5935a3036d884b8.exe	28
PID 2196 wrote to memory of 2496	2196	1a425c5603c76007a5935a3036d884b8.exe	28
PID 2196 wrote to memory of 2496	2196	1a425c5603c76007a5935a3036d884b8.exe	28
PID 2196 wrote to memory of 2496	2196	1a425c5603c76007a5935a3036d884b8.exe	28

C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe
"C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2196
- \??\c:\users\admin\appdata\local\fuwmdl
  "C:\Users\Admin\AppData\Local\Temp\1a425c5603c76007a5935a3036d884b8.exe"a -s
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "netsvcs"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fuwmdl

Filesize
18KB

MD5
4a978ce0c7936a0fa71e98c53fdcf65b

SHA1
c565ece9e36123f80dcd42318883d4712b6df2d2

SHA256
9bffa00478854b93d8c007a67e2b648a075b8ecd65fbb1edbc614e6ba68729a0

SHA512
38949401743b5a7703673c54de1d6b8ad5572f3dcc8c45d66e125f6e0b9ee2c3ed2c52c29d7c6c88e0adfc3e20b0aeaa6feba634926eee99d1aa71f50e03e818

Download Submit
\??\c:\users\admin\appdata\local\fuwmdl

Filesize
35KB

MD5
69fd2700f0f8b8822f38a99ae661ef43

SHA1
9ef025fe79f496b2b158175989bcbfeebecad2ef

SHA256
8d476dc4ab2478bc0e86d09195dfe7d16b099297a7991b15a970c5ee0a4dd125

SHA512
4c0407d8596d55ed1c67debcab4091072bd69ee960f411cfb235634a23944f4d9033f9ff74022e14f6aaeb8c703406bd569f1a89f88d4e033e58170cceeb351e

Download Submit
\??\c:\windows\SysWOW64\feckk.biz

Filesize
14KB

MD5
36fe2ee9603a34a12f89343327281ad7

SHA1
401a8472a62bd65f5726720156bce70eca32285c

SHA256
b4b8d64cbb1f0e6f71af65f3e9b710fcfa69d0fc4e06d542340f8e0ce32bab44

SHA512
49ca07601dd23ff0e97f57f6119a6f55c015d88372feb7384210b2446bf8acf9286f1e207968119924bbb267301926ca34553f7cd230e947118c739d1aa2e571

Download Submit
\Users\Admin\AppData\Local\fuwmdl

Filesize
34KB

MD5
cf9d47e47d67a091b9ccd551eaac0035

SHA1
8a4594a532be1945d43c53eaa322769f480afae9

SHA256
06e0a0c61110e1aa8479bb1705f4fe4413bf23b7b4900fde4f11e1b011922251

SHA512
0c557470595714ab6340fb68210e1766d2740f719a5ec0a990a21f7d2fdabb7ca3b4ea99a45ddab4d38e774d46d99cd0413d69921e1f3a88fb5989ffe682b7d5

Download Submit
\Windows\SysWOW64\feckk.biz

Filesize
16KB

MD5
5c394ebcd749e891e97cde4127b0145f

SHA1
9b77847dcb400da3498bb206f0e2756a40bfd387

SHA256
ef6e89a88085d89de1b13a0128f0bd60193a8e5491022295c6ed16cf7452e995

SHA512
06795025a31bd93eea8fec30ec115d88ae45f6428b665d7df0315cace1feffbefe85ba4a29d590b7cf79d437d7a7cd805326a612950050908fc675ef064b0a5a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads