gh0strat | 6d400a4101e0b57ee98f81daf2aba48a37defee08e872ba271a68f77f984ef9d

General

Target

74e1253d348d029b750aa054a4b021a7.exe
Size

98KB
MD5

74e1253d348d029b750aa054a4b021a7
SHA1

5c93b248f34acfc76dbf5ff4fcecf153ce115766
SHA256

6d400a4101e0b57ee98f81daf2aba48a37defee08e872ba271a68f77f984ef9d
SHA512

9ad04db2ab1c59904c784816b3d7e5080de2d770572d3e71e17c8836830c188bde3070e0c0305d406346caa3e5dab0bfc70f4ba79ea625e238781a5270ec371b
SSDEEP

1536:CkFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prVBUyrgg:CWS4jHS8q/3nTzePCwNUh4E9VBrb

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016448-19.dat	family_gh0strat
behavioral1/files/0x0009000000016448-18.dat	family_gh0strat
behavioral1/memory/1672-20-0x0000000000400000-0x000000000044E384-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1672	dscxkjljvh

Executes dropped EXE 1 IoCs

pid	Process
1672	dscxkjljvh

Loads dropped DLL 3 IoCs

pid	Process
1724	74e1253d348d029b750aa054a4b021a7.exe
1724	74e1253d348d029b750aa054a4b021a7.exe
1068	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wtodchygxi	svchost.exe
File created	C:\Windows\SysWOW64\wmjpdkuspt	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1672	dscxkjljvh
1068	svchost.exe
1068	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	1672	dscxkjljvh
Token: SeBackupPrivilege	1672	dscxkjljvh
Token: SeBackupPrivilege	1672	dscxkjljvh
Token: SeRestorePrivilege	1672	dscxkjljvh
Token: SeBackupPrivilege	1068	svchost.exe
Token: SeRestorePrivilege	1068	svchost.exe
Token: SeBackupPrivilege	1068	svchost.exe
Token: SeBackupPrivilege	1068	svchost.exe
Token: SeSecurityPrivilege	1068	svchost.exe
Token: SeSecurityPrivilege	1068	svchost.exe
Token: SeBackupPrivilege	1068	svchost.exe
Token: SeBackupPrivilege	1068	svchost.exe
Token: SeSecurityPrivilege	1068	svchost.exe
Token: SeBackupPrivilege	1068	svchost.exe
Token: SeBackupPrivilege	1068	svchost.exe
Token: SeSecurityPrivilege	1068	svchost.exe
Token: SeBackupPrivilege	1068	svchost.exe
Token: SeRestorePrivilege	1068	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1672	1724	74e1253d348d029b750aa054a4b021a7.exe	28
PID 1724 wrote to memory of 1672	1724	74e1253d348d029b750aa054a4b021a7.exe	28
PID 1724 wrote to memory of 1672	1724	74e1253d348d029b750aa054a4b021a7.exe	28
PID 1724 wrote to memory of 1672	1724	74e1253d348d029b750aa054a4b021a7.exe	28

C:\Users\Admin\AppData\Local\Temp\74e1253d348d029b750aa054a4b021a7.exe
"C:\Users\Admin\AppData\Local\Temp\74e1253d348d029b750aa054a4b021a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- \??\c:\users\admin\appdata\local\dscxkjljvh
  "C:\Users\Admin\AppData\Local\Temp\74e1253d348d029b750aa054a4b021a7.exe" a -sc:\users\admin\appdata\local\temp\74e1253d348d029b750aa054a4b021a7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dscxkjljvh

Filesize
3.1MB

MD5
a8fc9ea628d1679f0e7e5ea2ff3ffa06

SHA1
a37614d2b87c2dc44801a86e44a97267638ac1ed

SHA256
cfb496dec911e372029fd49f68ce8e589ac5f473dbaae8d0bd29ee98e9648d04

SHA512
f3c2e2015aeafebc315d42f14ba21f7bc51bd32b7c9e67c8f638b6a53c0539bb5d711b57a384e199dd87816c82055abd06b07425aaa9c44191a3725d7e803525

Download Submit
C:\Users\Admin\AppData\Local\dscxkjljvh

Filesize
3.2MB

MD5
4e3530fb4cd498f63a50b26a3b9ade28

SHA1
a77c6eddc90fc0091b8b95c1a3ba0715c97d23a4

SHA256
983965727b9ab180bcc7800e2ee43bb18fb0cfb0f77302cffbcd8ddc17ed90b9

SHA512
5456c702ad7cda77ddb02ed37046a69f180a69ee2887a657aa8761ea1b2cf61760e1022711d5a7306beb2ca72535347e611b7d6d2f9436c7cb61c5b672bfd5ea

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\eikbo.cc3

Filesize
31KB

MD5
9ad6d29441df7221ba7b5b414fc1537e

SHA1
5c65e295d2e418072e0cadb517a79a7e192dda7b

SHA256
e7ec1f13c2e46e5cdbfa39e85938da98057fd9e3694f1c90fcf248d086ca2d58

SHA512
ec0b2a114bc6456fb51f033b68d520d62c5220cb1453f45dfbc250bcf90548a7470b3c8395fcf6651307de7932b9fe86686d1cd862f8144757d3b384663b2f64

Download Submit
\??\c:\users\admin\appdata\local\dscxkjljvh

Filesize
366KB

MD5
39e4e71c4b8535a4ad947e38f9a6246b

SHA1
e9ce9c05744ad2ddfd30bfb981c867ae585479c7

SHA256
4f0ca2b2be56ec5bbfc18fb7977190b21998d550cebb805d5b5a6e38f5ec25b5

SHA512
781c6b78eb575f1c8905dbc41d5814fbb1febe30c3469d62f5590298633b4598b0ff3332c25735dea8137c9cdc6be0894966563f38a77fed5e3af6b7cf98f765

Download Submit
\ProgramData\Storm\update\%SESSIONNAME%\eikbo.cc3

Filesize
35KB

MD5
8724673f75fb6ed1cd823c4738ef99d7

SHA1
ad842d46969db9ad3756b7e7293a654b0eb13c82

SHA256
7ead3d3a577effed3a5a565ed6880e2f59818b3b7d47aaa434bd0cde49174dfd

SHA512
affe7e577d0e853285d31de00fde9d75a074ea5bf861d0b876e4b08a1ac4f38d3069eda7ae946ba33694b7db3aac0549bb77908afb6f0813dc7d7db97313229d

Download Submit
\Users\Admin\AppData\Local\dscxkjljvh

Filesize
4.1MB

MD5
fbfa0917095ebd3df45640d627cfbcd7

SHA1
1528e0f9a457549bb5b39678497bf0420589583d

SHA256
7af32acea70f5bbd0e04559e62cef89481f0ab49f26451d099abc178784f3ce8

SHA512
65032b49527c18c8ea7ce19a39de908c8186d7612cab352e90d4410163e274a39f1a0c86abd8d095392673ee2c51d192b44849f51b1e738172684917094a17fb

Download Submit
\Users\Admin\AppData\Local\dscxkjljvh

Filesize
3.5MB

MD5
08d0b3d99011fdf515aa13b1cc98cdbc

SHA1
ae0b23794bb868ac10594b276da61c8f4ed5e20b

SHA256
6fbea5fc39bc8ae036e06c1791674b552209f170e756fcb21085a46f4487d65f

SHA512
b5ab88b3ad00e9a7a5a44ab2e57f8e04136dbc0a38dc5fcf1acf3587ef4bb8b40cd23c6530878bc440793c202f16214a580eb07c32c2a3a4efe9870d443beebf

Download Submit
memory/1068-21-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1672-15-0x0000000000400000-0x000000000044E384-memory.dmp

Filesize
312KB

Download
memory/1672-20-0x0000000000400000-0x000000000044E384-memory.dmp

Filesize
312KB

Download
memory/1724-1-0x0000000000400000-0x000000000044E384-memory.dmp

Filesize
312KB

Download
memory/1724-14-0x00000000002B0000-0x00000000002FF000-memory.dmp

Filesize
316KB

Download
memory/1724-12-0x0000000000400000-0x000000000044E384-memory.dmp

Filesize
312KB

Download
memory/1724-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads