gh0strat | 6700aafcd1e47c077d76bba6ec8bbc573a8da2aad10d473269839fc085de1b2c

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b897b5a2c190a2229b451b7858aa42ed.exe
Size

264KB
MD5

b897b5a2c190a2229b451b7858aa42ed
SHA1

acc77091772c8ee5050131b666596520ee12a57b
SHA256

6700aafcd1e47c077d76bba6ec8bbc573a8da2aad10d473269839fc085de1b2c
SHA512

37592aed9b0abe216b15374f7591eaaf9fa5e3b61df7edcafd7b88a7744e408fbb9ebaab9276db485f716380ec6c50e9f92680749af114a8d1749aa76373accc
SSDEEP

6144:xhAgehnpVH0pwpM2EmMCqmeGsoozQ9b9O:7AgehnpVH0pp2yekf

Score

10^/10

gh0strat bootkit persistence rat

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001340b-20.dat	family_gh0strat
behavioral1/files/0x000c00000001340b-25.dat	family_gh0strat
behavioral1/files/0x000c00000001340b-23.dat	family_gh0strat
behavioral1/files/0x000c00000001340b-22.dat	family_gh0strat
behavioral1/files/0x000c00000001340b-21.dat	family_gh0strat
behavioral1/memory/2504-26-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2504-27-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2504-28-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/1220-29-0x0000000000400000-0x0000000000472000-memory.dmp	family_gh0strat
behavioral1/memory/1220-40-0x0000000000400000-0x0000000000472000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2504	alibao.exe

Loads dropped DLL 7 IoCs

pid	Process
1220	b897b5a2c190a2229b451b7858aa42ed.exe
2504	alibao.exe
2504	alibao.exe
2504	alibao.exe
2504	alibao.exe
2504	alibao.exe
2504	alibao.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	alibao.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\alihao.bat	b897b5a2c190a2229b451b7858aa42ed.exe
File created	C:\Program Files\Common Files\alibao.dll	b897b5a2c190a2229b451b7858aa42ed.exe
File created	C:\Program Files\Common Files\alibao.bat	b897b5a2c190a2229b451b7858aa42ed.exe
File created	C:\Program Files\Common Files\alibao.VBS	b897b5a2c190a2229b451b7858aa42ed.exe
File created	C:\Program Files\Common Files\alibao.exe	b897b5a2c190a2229b451b7858aa42ed.exe
File opened for modification	C:\Program Files\Common Files\alibao.exe	b897b5a2c190a2229b451b7858aa42ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	alibao.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	alibao.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2504	alibao.exe
2504	alibao.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2504	1220	b897b5a2c190a2229b451b7858aa42ed.exe	28
PID 1220 wrote to memory of 2504	1220	b897b5a2c190a2229b451b7858aa42ed.exe	28
PID 1220 wrote to memory of 2504	1220	b897b5a2c190a2229b451b7858aa42ed.exe	28
PID 1220 wrote to memory of 2504	1220	b897b5a2c190a2229b451b7858aa42ed.exe	28
PID 1220 wrote to memory of 2504	1220	b897b5a2c190a2229b451b7858aa42ed.exe	28
PID 1220 wrote to memory of 2504	1220	b897b5a2c190a2229b451b7858aa42ed.exe	28
PID 1220 wrote to memory of 2504	1220	b897b5a2c190a2229b451b7858aa42ed.exe	28
PID 1220 wrote to memory of 2388	1220	b897b5a2c190a2229b451b7858aa42ed.exe	29
PID 1220 wrote to memory of 2388	1220	b897b5a2c190a2229b451b7858aa42ed.exe	29
PID 1220 wrote to memory of 2388	1220	b897b5a2c190a2229b451b7858aa42ed.exe	29
PID 1220 wrote to memory of 2388	1220	b897b5a2c190a2229b451b7858aa42ed.exe	29
PID 1220 wrote to memory of 2388	1220	b897b5a2c190a2229b451b7858aa42ed.exe	29
PID 1220 wrote to memory of 2388	1220	b897b5a2c190a2229b451b7858aa42ed.exe	29
PID 1220 wrote to memory of 2388	1220	b897b5a2c190a2229b451b7858aa42ed.exe	29
PID 1220 wrote to memory of 2404	1220	b897b5a2c190a2229b451b7858aa42ed.exe	30
PID 1220 wrote to memory of 2404	1220	b897b5a2c190a2229b451b7858aa42ed.exe	30
PID 1220 wrote to memory of 2404	1220	b897b5a2c190a2229b451b7858aa42ed.exe	30
PID 1220 wrote to memory of 2404	1220	b897b5a2c190a2229b451b7858aa42ed.exe	30
PID 1220 wrote to memory of 2404	1220	b897b5a2c190a2229b451b7858aa42ed.exe	30
PID 1220 wrote to memory of 2404	1220	b897b5a2c190a2229b451b7858aa42ed.exe	30
PID 1220 wrote to memory of 2404	1220	b897b5a2c190a2229b451b7858aa42ed.exe	30
PID 2388 wrote to memory of 1348	2388	cmd.exe	33
PID 2388 wrote to memory of 1348	2388	cmd.exe	33
PID 2388 wrote to memory of 1348	2388	cmd.exe	33
PID 2388 wrote to memory of 1348	2388	cmd.exe	33
PID 2388 wrote to memory of 1348	2388	cmd.exe	33
PID 2388 wrote to memory of 1348	2388	cmd.exe	33
PID 2388 wrote to memory of 1348	2388	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\b897b5a2c190a2229b451b7858aa42ed.exe
"C:\Users\Admin\AppData\Local\Temp\b897b5a2c190a2229b451b7858aa42ed.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Program Files\Common Files\alibao.exe
  "C:\Program Files\Common Files\alibao.exe" "C:\Program Files\Common Files\alibao.dll" ServiceMain
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\alihao.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Common Files\alibao.VBS"
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\B897B5~1.EXE
  2⤵
  - Deletes itself
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\alibao.VBS

Filesize
1KB

MD5
116a7142bbe72653f8ea7c8a9a568c3b

SHA1
8149a7db5bd43bb51454e4ccb11a5a41ef6a7dde

SHA256
e41de1869ca1f14c4bdafbfadd7a769184014ceead652aeba326659368e6c695

SHA512
3e463fd656afe51c403afb002c43e27a5c3e3a52543691c648c3253b377ec2afa4bf237b29566341b350c0d4d0e4c90a092d779e7b557fb196888e7cf89abbc7

Download Submit
C:\Program Files\Common Files\alibao.dll

Filesize
20.9MB

MD5
9bbe8b241a0a98f0960931300c28a556

SHA1
28f45a207817761c819f0e52f33d6c6ff0694bcb

SHA256
27a06ee9637df61a9f15b1c76f7e558e553b395f756161033f9b5cb7aa22092f

SHA512
2e3003b89a814f359d375c55f89ddf4be0420e600aec164f708d79a1c096e5d975e8086aaeb2cee29fc765c43d1bbe7faa0d3b8d00d54c22c8a3d0cd96c9478d

Download Submit
C:\Program Files\Common Files\alihao.bat

Filesize
57B

MD5
1cdb9bcf58f9a3764fca74fb9f3fbfc3

SHA1
12bee8a9862242ed39d4316b11b4c568c778ba0b

SHA256
4fbd276e36e32db6ef3ba7d86d57c56b870575d76adcdcd82829acd8a7ccc950

SHA512
1bc9a5d46df7f91a7b36dd3050d034a43a67bf66cdf27b5f84ce5ed0542c5b51defabbd6c38408cc1e340b4fc26f652034ee19bd24d86d495d75e54a6497acc6

Download Submit
\Program Files\Common Files\alibao.dll

Filesize
11.3MB

MD5
7d7b5934f38a03c380dccdc71be01537

SHA1
175a860eb609a3a577f5a8e65ed5ebd6ea1997c6

SHA256
be0df19fc29fd637710f1396133730447a98fd3baeb8747d126c4455ab17f482

SHA512
911eb8c7176c39d4b747d2d9fbcaab5ba7cc5b9cb19ea9471dc7e233fee25fef5a0726a94bc6700c0f65ab0c8a81a8421b6b2e310dd3943f74ec9e53f6d3ad85

Download Submit
\Program Files\Common Files\alibao.dll

Filesize
9.4MB

MD5
76109c252c61f35967958373566ddccd

SHA1
a18daf06a658d7cf9b729e35fde580a3ea963f20

SHA256
30b0309c8204a80056a1c62431fe9a997eab85ea863238d69e4cdc6ef0fb3079

SHA512
6fe07c4e6a44492671361ee9220377bd152e89b1112c4a5f0b01eebe544b219f34dd24e66f2de62e82db30ec7d280019e2d0f05eff3dea6a829444624477da52

Download Submit
\Program Files\Common Files\alibao.dll

Filesize
8.8MB

MD5
011733ed5abff6747c453cbc50c2781f

SHA1
3fc9d4e77cc9a2244e7bb61351736f97d2098080

SHA256
e96b23aae29492f193006a1539e4fa6efc27009013968fe973975e5d2de7615f

SHA512
2cad005c1595d1e284d110cd9b2f31029692c9613e9ea180964eec8140f6c9d83da6a60bdbea67433e5ca6dcb7ec004340c216eba62051753bf262c38fe952df

Download Submit
\Program Files\Common Files\alibao.dll

Filesize
7.1MB

MD5
ffd429b5a9e5035b2ed8606976d46bc2

SHA1
91fe22dbd9ed171d01dc5bfa14d568befbd2f07f

SHA256
8443107c66512ae269100e04b8272237fbac9325a2adbafb89bb84f7098a1401

SHA512
7c4e3cf9bd20a5d3af2f3ecbe65150366825364f0eb4fbbd58ee3127a0d6732396976a9f52624e8dea41dd97d358611824a84cd52c658824bf39d5e201fd2cfe

Download Submit
\Program Files\Common Files\alibao.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1220-12-0x00000000002F0000-0x00000000002F2000-memory.dmp

Filesize
8KB

Download
memory/1220-29-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1220-1-0x0000000000360000-0x000000000039E000-memory.dmp

Filesize
248KB

Download
memory/1220-3-0x00000000002F0000-0x0000000000362000-memory.dmp

Filesize
456KB

Download
memory/1220-7-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1220-2-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1220-4-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1220-39-0x0000000000360000-0x000000000039E000-memory.dmp

Filesize
248KB

Download
memory/1220-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1220-5-0x0000000000360000-0x000000000039E000-memory.dmp

Filesize
248KB

Download
memory/1220-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1220-30-0x0000000000360000-0x000000000039E000-memory.dmp

Filesize
248KB

Download
memory/2504-28-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2504-27-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2504-26-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2504-24-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download