gh0strat | 963ed0909e317cbef3063bb417ecab92d3b95c4577409f1745cf5f81cffee318

General

Target

PCBoost.exe
Size

291KB
MD5

8e082840ba73601cf3500b473be9530a
SHA1

cfaf2f80209bba131ce916610f224718dec4a4a1
SHA256

f2a842bf291c54705a59e3a4c388310e692ec1608dbfc3c4921b709b2f45193f
SHA512

16694c951e851533b6088be619f31208e989611c32f3d191c1bc1af6fb76c493874d1b382e56bf748e00210a21d63055c985decc71fff0f3a81adc09551cbe25
SSDEEP

3072:Inj9jtfU+INndIc0JWo5vmu2bOsmu2bOns8AbphCFUARI0Fx5IlBANTQ9a+mrMnm:IjbeiHibVibws8AujIbAN89RmUhV5sCw

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0030000000014721-15.dat	family_gh0strat
behavioral1/memory/1752-27-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ÏµÍ³²¹¶¡Éý¼¶³ÌÐò\Parameters\ServiceDll = "C:\\Windows\\system32\\PPSAHD.dll"	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1752	¸çÃÇºÃ~1.EXE

Loads dropped DLL 8 IoCs

pid	Process
1644	PCBoost.exe
1644	PCBoost.exe
1752	¸çÃÇºÃ~1.EXE
1752	¸çÃÇºÃ~1.EXE
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	PCBoost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PPSAHD.ini	¸çÃÇºÃ~1.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2740	1752	WerFault.exe	28

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1752	1644	PCBoost.exe	28
PID 1644 wrote to memory of 1752	1644	PCBoost.exe	28
PID 1644 wrote to memory of 1752	1644	PCBoost.exe	28
PID 1644 wrote to memory of 1752	1644	PCBoost.exe	28
PID 1644 wrote to memory of 1752	1644	PCBoost.exe	28
PID 1644 wrote to memory of 1752	1644	PCBoost.exe	28
PID 1644 wrote to memory of 1752	1644	PCBoost.exe	28
PID 1752 wrote to memory of 2420	1752	¸çÃÇºÃ~1.EXE	29
PID 1752 wrote to memory of 2420	1752	¸çÃÇºÃ~1.EXE	29
PID 1752 wrote to memory of 2420	1752	¸çÃÇºÃ~1.EXE	29
PID 1752 wrote to memory of 2420	1752	¸çÃÇºÃ~1.EXE	29
PID 1752 wrote to memory of 2420	1752	¸çÃÇºÃ~1.EXE	29
PID 1752 wrote to memory of 2420	1752	¸çÃÇºÃ~1.EXE	29
PID 1752 wrote to memory of 2420	1752	¸çÃÇºÃ~1.EXE	29
PID 1752 wrote to memory of 2740	1752	¸çÃÇºÃ~1.EXE	31
PID 1752 wrote to memory of 2740	1752	¸çÃÇºÃ~1.EXE	31
PID 1752 wrote to memory of 2740	1752	¸çÃÇºÃ~1.EXE	31
PID 1752 wrote to memory of 2740	1752	¸çÃÇºÃ~1.EXE	31
PID 1752 wrote to memory of 2740	1752	¸çÃÇºÃ~1.EXE	31
PID 1752 wrote to memory of 2740	1752	¸çÃÇºÃ~1.EXE	31
PID 1752 wrote to memory of 2740	1752	¸çÃÇºÃ~1.EXE	31

C:\Users\Admin\AppData\Local\Temp\PCBoost.exe
"C:\Users\Admin\AppData\Local\Temp\PCBoost.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸çÃÇºÃ~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸çÃÇºÃ~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\PPSAHD.dll setup
    3⤵
    - Sets DLL path for service in the registry
    PID:2420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸çÃÇºÃ~1.EXE

Filesize
51KB

MD5
f789296c231b8a057b5687c9d0775f99

SHA1
29a9481b5cf64655e6f8e06f944b2cf2ac871585

SHA256
0b60ef302c3df351941bc936572ddb69770ce226cd3418ea433a1dc92325c76c

SHA512
7b538de2c842e1894badda2a98125d4c3ae7344cc5b977f0d9b153708d69d3e0f54bbec0c784ad794eb5512d3a957491676e92a602d1ce7ca1eb28dfd93b6b84

Download Submit
\Users\Admin\AppData\Local\Temp\Server.tmp

Filesize
108KB

MD5
7a6e39ef6874d2ae9e6bbd2d0fd21a29

SHA1
6a4baa6c7f1722ae2c5598e0c9ef104431660267

SHA256
073fe0cf6f7229cd0498852c56b5d42165ff190ed938aec5dbb47f8d330c3ab2

SHA512
e59abbdf920a9aa91e3dedd468b8655616fe13f6fcee17b05340592f09d8e84dc86387495d0ffe5f645649bc6234ebc1705b9d1320f090a21be00f14d53c7475

Download Submit
memory/1644-9-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/1644-10-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/1644-26-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/1644-25-0x00000000001C0000-0x00000000001EE000-memory.dmp

Filesize
184KB

Download
memory/1752-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1752-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads