gh0strat | 7de295451280b0ee5d90c6709f39d641f81d446b34d35b20422acb3919048ce9

General

Target

a1dabee55a5be6215cb878eaa446297f.exe
Size

124KB
MD5

a1dabee55a5be6215cb878eaa446297f
SHA1

e555a80052ab2efa7bd2d3812ddd74d5e79bbfea
SHA256

7de295451280b0ee5d90c6709f39d641f81d446b34d35b20422acb3919048ce9
SHA512

06be1c66dafe3e59e1600120e2d020d23c4e41a26d33e6e26e32e5cb058478bb4bb9d4d1ba74f02ed4c2b6f905c95e9cde536b57f48b9e4c03708da73b37f42b
SSDEEP

3072:MsfUOo0WR627ugGLBpgZOY2BvuxssylF9vrxyo6SVoAV6:lMOonR62qgGLBpg4B8slF91D63AV

Score

10^/10

gh0strat bootkit persistence rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001224d-3.dat	family_gh0strat
behavioral1/memory/2232-5-0x0000000000400000-0x0000000000453000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fastuserswitchingcompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\ntfastuserswitchingcompatibility.dll"	a1dabee55a5be6215cb878eaa446297f.exe

Deletes itself 1 IoCs

pid	Process
1716	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1716	svchost.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2232-0-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect
behavioral1/memory/2232-5-0x0000000000400000-0x0000000000453000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll	a1dabee55a5be6215cb878eaa446297f.exe
File opened for modification	C:\Windows\SysWOW64\d2f5ca0e.del	a1dabee55a5be6215cb878eaa446297f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2232	a1dabee55a5be6215cb878eaa446297f.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	1716	svchost.exe
Token: SeSecurityPrivilege	1716	svchost.exe
Token: SeSecurityPrivilege	1716	svchost.exe
Token: SeBackupPrivilege	1716	svchost.exe
Token: SeSecurityPrivilege	1716	svchost.exe
Token: SeBackupPrivilege	1716	svchost.exe
Token: SeSecurityPrivilege	1716	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a1dabee55a5be6215cb878eaa446297f.exe
"C:\Users\Admin\AppData\Local\Temp\a1dabee55a5be6215cb878eaa446297f.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\ntfastuserswitchingcompatibility.dll

Filesize
148KB

MD5
1d1409253d9138565cbe9e83b803a0f9

SHA1
613c358a38fe9968d3f3c4bbc214ababee2ee9c9

SHA256
45ea5f6c2a3373e22bea522cc2da909b5c7997eb229354c8e83a315cc12c15f5

SHA512
73636f0a502111e7baf7ec8c4673844921948ea1eaf9313c65f3c2d339dfe4458c1f1df22949220d9d5059f19fd8729f7e71d2f58fa08c4bca103d39753be7c4

Download Submit
memory/2232-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-5-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads