gh0strat | 27f59251422932e92eda4b1ea0064c2dd86d005830646da316e9e6511f1c8bdc

General

Target

eb867fa5310709ec60c8b51f768dcf5d.exe
Size

96KB
MD5

eb867fa5310709ec60c8b51f768dcf5d
SHA1

2d61c3813518c310972a8578b90a51d2161058e5
SHA256

27f59251422932e92eda4b1ea0064c2dd86d005830646da316e9e6511f1c8bdc
SHA512

f76b246351b212ab5ab8e12abda8522f98338030e6e976cc8526b84c0c817db871bb2ba5e617e1c956fb15bbea037cc08103c9826bb5e0df3ff2e71ffc724788
SSDEEP

1536:6uFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prI7HlnxyHTH:6US4jHS8q/3nTzePCwNUh4E9I7H98HD

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000014ab5-19.dat	family_gh0strat
behavioral1/files/0x000a000000014ab5-18.dat	family_gh0strat
behavioral1/memory/2516-20-0x0000000000400000-0x000000000044E318-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2516	hrehqwgvgp

Executes dropped EXE 1 IoCs

pid	Process
2516	hrehqwgvgp

Loads dropped DLL 3 IoCs

pid	Process
2896	eb867fa5310709ec60c8b51f768dcf5d.exe
2896	eb867fa5310709ec60c8b51f768dcf5d.exe
2564	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qtdydpgoyh	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2516	hrehqwgvgp
2564	svchost.exe
2564	svchost.exe
2564	svchost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2516	hrehqwgvgp
Token: SeBackupPrivilege	2516	hrehqwgvgp
Token: SeBackupPrivilege	2516	hrehqwgvgp
Token: SeRestorePrivilege	2516	hrehqwgvgp
Token: SeBackupPrivilege	2564	svchost.exe
Token: SeRestorePrivilege	2564	svchost.exe
Token: SeBackupPrivilege	2564	svchost.exe
Token: SeBackupPrivilege	2564	svchost.exe
Token: SeSecurityPrivilege	2564	svchost.exe
Token: SeSecurityPrivilege	2564	svchost.exe
Token: SeBackupPrivilege	2564	svchost.exe
Token: SeBackupPrivilege	2564	svchost.exe
Token: SeSecurityPrivilege	2564	svchost.exe
Token: SeBackupPrivilege	2564	svchost.exe
Token: SeBackupPrivilege	2564	svchost.exe
Token: SeSecurityPrivilege	2564	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2516	2896	eb867fa5310709ec60c8b51f768dcf5d.exe	28
PID 2896 wrote to memory of 2516	2896	eb867fa5310709ec60c8b51f768dcf5d.exe	28
PID 2896 wrote to memory of 2516	2896	eb867fa5310709ec60c8b51f768dcf5d.exe	28
PID 2896 wrote to memory of 2516	2896	eb867fa5310709ec60c8b51f768dcf5d.exe	28

C:\Users\Admin\AppData\Local\Temp\eb867fa5310709ec60c8b51f768dcf5d.exe
"C:\Users\Admin\AppData\Local\Temp\eb867fa5310709ec60c8b51f768dcf5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896
- \??\c:\users\admin\appdata\local\hrehqwgvgp
  "C:\Users\Admin\AppData\Local\Temp\eb867fa5310709ec60c8b51f768dcf5d.exe" a -sc:\users\admin\appdata\local\temp\eb867fa5310709ec60c8b51f768dcf5d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\hrehqwgvgp

Filesize
85KB

MD5
47643dca3832f7d41146e304612a8cf3

SHA1
c2435af63456fe8cfda3db4067447c1c4514ba57

SHA256
a3667817e482d9a03b5e3c81381f5c6b9360715b1ade585dcca18874b686f58a

SHA512
104ff7980497d192202730dee4db2077c0b95b4674cc216d8af512797210bc0fd0c6f16fccbd877fcb192cb6502f6c9f921aba0eab82c1dd7333dfdd09260e97

Download Submit
C:\Users\Admin\AppData\Local\hrehqwgvgp

Filesize
133KB

MD5
5c8f6e47c8d78974064bf413f2526749

SHA1
4ce960151c68511d91e8bc1088009a6e5f1e60ff

SHA256
91bce312326f28058248787dd60de907b74c9855ee932e2ba5bd8c910c759326

SHA512
754d2035808bd3b526a3a82d7f98179959eee7de74add825bd85d080bc2b8e9de6b57c69695920cd6223c93c8f1f125161b4dfdcbf2a47221c86f3cc1dd133a0

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\wfboc.cc3

Filesize
64KB

MD5
9c48b483f78334820c08090d5743b4e6

SHA1
ad17598d0129d99e5ad20f35f3831890d30b9a29

SHA256
3385e62e2504ea8f41e988ce21caf3ee4194145842f89d10a43c85105bdb4b32

SHA512
40b99c044bd50f8008dbb19cd9ee03b758c0ef4f39856f8e4d99a187bccd73eb0589e201f6b6f996adec0cf15dc7f234c15437f4766120e01a255abf308099fb

Download Submit
\ProgramData\Storm\update\%SESSIONNAME%\wfboc.cc3

Filesize
194KB

MD5
e8959b95cf2fb7f3716df2b4d9c43f5e

SHA1
2897bd85c4cccc55cb3f41445817e5a01709abab

SHA256
1fa1528aab7e05523510556d1066cc96410d61a65d5c48e480dcc6c236b73dec

SHA512
828acd45439f8a9cf162bee163b1290e4c557bfd964fe57e54bd47b3151a48028888b90fd6bd9f7ee97e04d38b1f9f841e584358a9e8205c7e502496c79b539b

Download Submit
\Users\Admin\AppData\Local\hrehqwgvgp

Filesize
49KB

MD5
1f2a55128b8126ecfe05c113b5340cbb

SHA1
718d17f0d40008aa39770ca676c2598b14561635

SHA256
9bd102db4ba94cbe3ae2df45aac54f0cb4ae5c6ab5b41237973eba04a5c983e1

SHA512
3c9a736fa13b82ec671cd449fde8d3198396a834d6909bb0a51597968b208123386aade1df6576e822a8aa82be0317a05db622b3757f0e5d5682157daaee12fe

Download Submit
\Users\Admin\AppData\Local\hrehqwgvgp

Filesize
69KB

MD5
73cdb7c18f32366f2c24c3c509bfd937

SHA1
4ff37825cedc96cde292f97e2082eeffe1cc87f7

SHA256
bbc528eda815da2ebdf07dc77033f3643409ea8572a4a55f5a0162ec986017ab

SHA512
fbd5b422bff09d49f6dd20ec0b1b209df5d3287ce4655431b00826c059c98829594808ec1c1e075f30cf4e070c2b454a2e8978d82681768a872acac70dcf2315

Download Submit
memory/2516-15-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/2516-20-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/2564-21-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2896-12-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/2896-14-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/2896-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2896-1-0x0000000000400000-0x000000000044E318-memory.dmp

Filesize
312KB

Download
memory/2896-22-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads