gh0strat | 28d6550ecd85749c68dd2d947769e977aedc1a7887ca4a415106b0dd4b792370

General

Target

371ac34cd998b94b6d0abe94f43dee70.exe
Size

95KB
MD5

371ac34cd998b94b6d0abe94f43dee70
SHA1

f09f974beb7df42de9dec5a5d2b09afeb302f78d
SHA256

28d6550ecd85749c68dd2d947769e977aedc1a7887ca4a415106b0dd4b792370
SHA512

d2152f1b678f2f8f3dd347d919aa900ac35c254ad11af0ebb87ba44f7db2648bd6a089c405d722d76d4a0b1844737c2336a15234c5447f9339b27ef8225219a7
SSDEEP

1536:vRFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prklvQKLrW:vHS4jHS8q/3nTzePCwNUh4E9ojLrW

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000016d05-20.dat	family_gh0strat
behavioral1/files/0x000a000000016d05-19.dat	family_gh0strat
behavioral1/memory/2016-21-0x0000000000400000-0x000000000044E3E8-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2016	egelxgsjrh

Executes dropped EXE 1 IoCs

pid	Process
2016	egelxgsjrh

Loads dropped DLL 3 IoCs

pid	Process
1984	371ac34cd998b94b6d0abe94f43dee70.exe
1984	371ac34cd998b94b6d0abe94f43dee70.exe
592	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rgoowtlcag	svchost.exe
File created	C:\Windows\SysWOW64\rrecrjxwrk	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2016	egelxgsjrh
592	svchost.exe
592	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2016	egelxgsjrh
Token: SeBackupPrivilege	2016	egelxgsjrh
Token: SeBackupPrivilege	2016	egelxgsjrh
Token: SeRestorePrivilege	2016	egelxgsjrh
Token: SeBackupPrivilege	592	svchost.exe
Token: SeRestorePrivilege	592	svchost.exe
Token: SeBackupPrivilege	592	svchost.exe
Token: SeBackupPrivilege	592	svchost.exe
Token: SeSecurityPrivilege	592	svchost.exe
Token: SeSecurityPrivilege	592	svchost.exe
Token: SeBackupPrivilege	592	svchost.exe
Token: SeBackupPrivilege	592	svchost.exe
Token: SeSecurityPrivilege	592	svchost.exe
Token: SeBackupPrivilege	592	svchost.exe
Token: SeBackupPrivilege	592	svchost.exe
Token: SeSecurityPrivilege	592	svchost.exe
Token: SeBackupPrivilege	592	svchost.exe
Token: SeRestorePrivilege	592	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2016	1984	371ac34cd998b94b6d0abe94f43dee70.exe	28
PID 1984 wrote to memory of 2016	1984	371ac34cd998b94b6d0abe94f43dee70.exe	28
PID 1984 wrote to memory of 2016	1984	371ac34cd998b94b6d0abe94f43dee70.exe	28
PID 1984 wrote to memory of 2016	1984	371ac34cd998b94b6d0abe94f43dee70.exe	28

C:\Users\Admin\AppData\Local\Temp\371ac34cd998b94b6d0abe94f43dee70.exe
"C:\Users\Admin\AppData\Local\Temp\371ac34cd998b94b6d0abe94f43dee70.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- \??\c:\users\admin\appdata\local\egelxgsjrh
  "C:\Users\Admin\AppData\Local\Temp\371ac34cd998b94b6d0abe94f43dee70.exe" a -sc:\users\admin\appdata\local\temp\371ac34cd998b94b6d0abe94f43dee70.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\egelxgsjrh

Filesize
85KB

MD5
f4364cd79928a817685e0e5825f2b834

SHA1
fc86965baff8b68b236040b3e828b81160d739ae

SHA256
cb171f780e1efb0b8922e20e53170e46560f62ecd9b83bde8eab8fff6403c0d6

SHA512
a1f135f2392a17c426b83bbcee9e360068ef9277caac76129a48946f244b4f13fa5183007af6b7df12543ecc809ed4d76dab0190fb2f7424cc902e6f8fe12516

Download Submit
C:\Users\Admin\AppData\Local\egelxgsjrh

Filesize
86KB

MD5
fb9829e361b2b4c58df376b64ab2031d

SHA1
a4c1fc2679e68ccaf2f2b94d97042f30e9c5a643

SHA256
51d0f5039780bb9cc8e425c445d32647c6acdc0104664de665893abc52f7b46d

SHA512
27caeab05d12abb378657bdde97d92abca75f80858562dc2fa9dd6ebf227c85115ba0929d5bab8d8ed4dc9e1e3ded1f74b2f3724b87b536ca62a32fd4ae451ce

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\chxpm.cc3

Filesize
32KB

MD5
ec32647467b832d12b600440b5cf8ae0

SHA1
8c8940a4e94225756e895ede1fbb54fc8619dfa7

SHA256
5298774150fc920c48652d3b5dfeccd2afb1562a9f032f0deaea120d78c68692

SHA512
cf5fd1f988bbbbb882347129de960fe8bbfce22789df85efd5dc7f91ae99f571e8d6e2efbd66dd74c4d23e55bde3e4657a00b305934bea27e968487294c498ea

Download Submit
\??\c:\users\admin\appdata\local\egelxgsjrh

Filesize
288KB

MD5
41e389ef49871b10532247c3385c1838

SHA1
141735aa25f081c46dec0e5aac99b40861c2740a

SHA256
fd60b84f30c73a689c6d2399707bb1648b70f420b96cd147838ab3f3f2684d65

SHA512
e9a55c8a43ef1df46e842b15829a05d56b953efd97e946229a76d3f623c23ab2e75a60401d16fa3345587ad083021213a750af57ea634b690b21aca6008ef31f

Download Submit
\Users\Admin\AppData\Local\egelxgsjrh

Filesize
1.3MB

MD5
6582a0beee8eedd0f51e00d535167b7c

SHA1
2429459b9754ae6b9a5511bdf6c573dc1d5d2a92

SHA256
515ead1832d372513ccf828c4adaab6fd80fd99a173c76360be3badcab5a5c03

SHA512
783916f36b6b6deceb959fe1e5e9dfc5030717446faea6ff68739b1d5a3237cc45d6dded4dddfc4f2922c52c66e0b4f07188278e9ee6f4a548e4bc65b10e954f

Download Submit
\Users\Admin\AppData\Local\egelxgsjrh

Filesize
894KB

MD5
a71ea3019cfdceaad32eb54d9a941cea

SHA1
92764f214d704039600f169670a53b68efac1156

SHA256
651ea5eccd80611badc237c582232819e6695955f188238f684e0bac94ca3ac9

SHA512
8261efc58458616f781628d9a8231da3243af3d14845bbab5ba02347276aeb91f874cd7fbe3e9f305f31d52debaf8e3bac825bac9e4abfcb4c369cdeb37a691d

Download Submit
memory/592-22-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1984-12-0x0000000000400000-0x000000000044E3E8-memory.dmp

Filesize
312KB

Download
memory/1984-6-0x0000000000300000-0x000000000034F000-memory.dmp

Filesize
316KB

Download
memory/1984-0-0x0000000000400000-0x000000000044E3E8-memory.dmp

Filesize
312KB

Download
memory/1984-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2016-16-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2016-15-0x0000000000400000-0x000000000044E3E8-memory.dmp

Filesize
312KB

Download
memory/2016-21-0x0000000000400000-0x000000000044E3E8-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads