gh0strat | 12caf5c2952a719a8cc750b8cb087abba9d8fd4a076a953b618b4eeb5d7934c1

General

Target

bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe
Size

96KB
MD5

bef8ccb45e8ba48acf3d0e5e95e3dcb4
SHA1

a1d1a16a91fba4932780ad78cd35ec4c43cd32de
SHA256

12caf5c2952a719a8cc750b8cb087abba9d8fd4a076a953b618b4eeb5d7934c1
SHA512

173a013e00f44a23f40a520c1b1ebee638ec439b821dc6efc1adb75ffa40ae9dfaf9f8b1e53647b2c0b9825b6c54f78cb4a229e8c8669f4811dadc69f1ec1dee
SSDEEP

1536:5MFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prORPHtBzzIn:5eS4jHS8q/3nTzePCwNUh4E9OJtBzzG

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000e000000015661-20.dat	family_gh0strat
behavioral1/files/0x000e000000015661-19.dat	family_gh0strat
behavioral1/memory/1792-21-0x0000000000400000-0x000000000044E374-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
1792	fgqpluhywl

Executes dropped EXE 1 IoCs

pid	Process
1792	fgqpluhywl

Loads dropped DLL 3 IoCs

pid	Process
2128	bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe
2128	bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe
2580	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wwxoecwpkv	svchost.exe
File created	C:\Windows\SysWOW64\wfmimfynxq	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1792	fgqpluhywl
2580	svchost.exe
2580	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	1792	fgqpluhywl
Token: SeBackupPrivilege	1792	fgqpluhywl
Token: SeBackupPrivilege	1792	fgqpluhywl
Token: SeRestorePrivilege	1792	fgqpluhywl
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1792	2128	bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe	28
PID 2128 wrote to memory of 1792	2128	bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe	28
PID 2128 wrote to memory of 1792	2128	bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe	28
PID 2128 wrote to memory of 1792	2128	bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe	28

C:\Users\Admin\AppData\Local\Temp\bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe
"C:\Users\Admin\AppData\Local\Temp\bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128
- \??\c:\users\admin\appdata\local\fgqpluhywl
  "C:\Users\Admin\AppData\Local\Temp\bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe" a -sc:\users\admin\appdata\local\temp\bef8ccb45e8ba48acf3d0e5e95e3dcb4.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fgqpluhywl

Filesize
2.5MB

MD5
6a35bfb785b226c1178b5464ccd233d1

SHA1
2b1b916ddf607675e849b2ba4fdb8d9957e4d2b3

SHA256
4b4f852ff89eece851983389b230daf8e29187706c36149f2804751988d8ccc6

SHA512
6f47e3ef9ea56b26a0edb47ac92ab7938521a1c9e90dd195660fe05d697aa398a5c5f1c4034b328bcf526902c5cd39fb4b10a18d0772fa62534141ae6e7ee31f

Download Submit
C:\Users\Admin\AppData\Local\fgqpluhywl

Filesize
2.2MB

MD5
3be25f919b8b9371784e761cd19f0508

SHA1
f174d59d4647601e3603b37e2fcdb107e392ac22

SHA256
f33f889289dbf14b2950db65b90655359e5f7819e85d9272054ff66a745d6efa

SHA512
835949d250c3e9dcd94b1e67f6d5ffded17c6060f36f0cb8544c7601b92ecfab2a7dbf26944ad52c8f9c72098340a3906e20e76b4014a85ed934074825a8c21c

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\qtwxw.cc3

Filesize
4.4MB

MD5
29bcf477ebc6e044ae6f8437ecb095d8

SHA1
368e892a53d1622c1008f34714ad618d998960b2

SHA256
5b8fa1975f5ca56176d9eb55d0788a8c23dd8f20d48fda0ec9a016ed5bf38adf

SHA512
96b7a0c1e495ad1af8d1ad4daab12bb1f18430737449443b1163a09d7a72e7db481a90e1b847ebb767d4d287804a5fd7e27bbfd4117a515cdb4c359a02de980a

Download Submit
\??\c:\users\admin\appdata\local\fgqpluhywl

Filesize
6.8MB

MD5
3d5c7fcffca295860cf24d5bd1250020

SHA1
49a0acc23dbca17875ff486910b0049fd039d536

SHA256
44cfa5965d6cd3c103ae372682ba609664ee173aae97737dfdf26775c1424aa7

SHA512
b1ae3d4cd1184cdb415276fcda5d42cd996e2dfaed1cf530d46dbfcedded12b1a6b080d36331c35e29cf83ceab0f0daef21e29a03d3cc7dd91d21347f58f113b

Download Submit
\ProgramData\Storm\update\%SESSIONNAME%\qtwxw.cc3

Filesize
3.9MB

MD5
3a281912d79085f0c81c6b8e48199093

SHA1
433ba6c5af28e4f7db60945aac9aad4bbbe3d3a6

SHA256
91a8a61045289fe1553d36be076fea0c19c9eb0d8bb3ff686b89fb9b901a5f6e

SHA512
477565a8fccb7e3cd603ef9245317f80d0c4bb9c8637da61d22818d46ad65ff902edc76927c9c3f46ed6b815978a5a6e7f61263449e6040c535f3a3831f2f770

Download Submit
\Users\Admin\AppData\Local\fgqpluhywl

Filesize
3.2MB

MD5
c48bbc8532b64a868bebbf09f73c598d

SHA1
45d37b90587f41d42dcc01612e502fe11ab00793

SHA256
330f7948717cca15ac4fbe1e1633695d11e837a72e33eb7ecc4db9ecf51cfb0c

SHA512
0678aafce2d503e5139739f2452847399300f5f431fac8eb13c75ce646b89654a054f73497e44d54ca9b8927974c467012b81333254571f6afa7c924c32d446d

Download Submit
\Users\Admin\AppData\Local\fgqpluhywl

Filesize
3.1MB

MD5
6c077a69b7011f17946be831b1ba377d

SHA1
723aadd906a0bc8e51ab037d8bf55e1cfbf1d9c9

SHA256
d354ac2df83a7ff2f64fda29d22ced3057812932906582788822767b23a5c3ba

SHA512
fd9666455e2c26d149c0a4e3e3bf187aae024f30a2b578ac934565aaa41343b72c55ad3a32c9fadc7212e7327a53ea0743871a22edcecb9bac8c955d9689661f

Download Submit
memory/1792-21-0x0000000000400000-0x000000000044E374-memory.dmp

Filesize
312KB

Download
memory/1792-16-0x0000000000400000-0x000000000044E374-memory.dmp

Filesize
312KB

Download
memory/2128-12-0x0000000000400000-0x000000000044E374-memory.dmp

Filesize
312KB

Download
memory/2128-13-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/2128-6-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/2128-1-0x0000000000400000-0x000000000044E374-memory.dmp

Filesize
312KB

Download
memory/2128-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2128-24-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/2580-22-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads