gh0strat | a2dc871f4bf02e16f9c7a4c83ebbc31685bf5e07cad527e6a136cf6644cabd94

General

Target

c062b4035e18c234c235dc9c9e89d830.exe
Size

95KB
MD5

c062b4035e18c234c235dc9c9e89d830
SHA1

efa1ab7ebe879a326b15a2f0977b13280eb5fa76
SHA256

a2dc871f4bf02e16f9c7a4c83ebbc31685bf5e07cad527e6a136cf6644cabd94
SHA512

256bc4a9e7f878310a9aec331047ef14410ad1d54f1e816d38b931587543df7e7859e8e1f48e430fbafb45c645b61d5745ecfdc8f13e33fbdbca8cb946db4a29
SSDEEP

1536:CYFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prPUSry9KLu:CKS4jHS8q/3nTzePCwNUh4E9PUSu9KLu

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015c3d-18.dat	family_gh0strat
behavioral1/files/0x000a000000015c3d-17.dat	family_gh0strat
behavioral1/memory/2516-19-0x0000000000400000-0x000000000044E404-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Deletes itself 1 IoCs

pid	Process
2516	esqduhxrtm

Executes dropped EXE 1 IoCs

pid	Process
2516	esqduhxrtm

Loads dropped DLL 2 IoCs

pid	Process
1988	c062b4035e18c234c235dc9c9e89d830.exe
3020	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ssxcybpwhj	svchost.exe
File created	C:\Windows\SysWOW64\sjqsoqclul	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2516	esqduhxrtm
3020	svchost.exe
3020	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2516	esqduhxrtm
Token: SeBackupPrivilege	2516	esqduhxrtm
Token: SeBackupPrivilege	2516	esqduhxrtm
Token: SeRestorePrivilege	2516	esqduhxrtm
Token: SeBackupPrivilege	3020	svchost.exe
Token: SeRestorePrivilege	3020	svchost.exe
Token: SeBackupPrivilege	3020	svchost.exe
Token: SeBackupPrivilege	3020	svchost.exe
Token: SeSecurityPrivilege	3020	svchost.exe
Token: SeSecurityPrivilege	3020	svchost.exe
Token: SeBackupPrivilege	3020	svchost.exe
Token: SeBackupPrivilege	3020	svchost.exe
Token: SeSecurityPrivilege	3020	svchost.exe
Token: SeBackupPrivilege	3020	svchost.exe
Token: SeBackupPrivilege	3020	svchost.exe
Token: SeSecurityPrivilege	3020	svchost.exe
Token: SeBackupPrivilege	3020	svchost.exe
Token: SeRestorePrivilege	3020	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2516	1988	c062b4035e18c234c235dc9c9e89d830.exe	28
PID 1988 wrote to memory of 2516	1988	c062b4035e18c234c235dc9c9e89d830.exe	28
PID 1988 wrote to memory of 2516	1988	c062b4035e18c234c235dc9c9e89d830.exe	28
PID 1988 wrote to memory of 2516	1988	c062b4035e18c234c235dc9c9e89d830.exe	28
PID 1988 wrote to memory of 2516	1988	c062b4035e18c234c235dc9c9e89d830.exe	28
PID 1988 wrote to memory of 2516	1988	c062b4035e18c234c235dc9c9e89d830.exe	28
PID 1988 wrote to memory of 2516	1988	c062b4035e18c234c235dc9c9e89d830.exe	28

C:\Users\Admin\AppData\Local\Temp\c062b4035e18c234c235dc9c9e89d830.exe
"C:\Users\Admin\AppData\Local\Temp\c062b4035e18c234c235dc9c9e89d830.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- \??\c:\users\admin\appdata\local\esqduhxrtm
  "C:\Users\Admin\AppData\Local\Temp\c062b4035e18c234c235dc9c9e89d830.exe" a -sc:\users\admin\appdata\local\temp\c062b4035e18c234c235dc9c9e89d830.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\esqduhxrtm

Filesize
295KB

MD5
90adc9c6e586c7aacfc08e4575e019f3

SHA1
acf455080af071e7d14145f5486f6cc1c74ddeed

SHA256
28d52205614e9092fae7ce3386641dd167b03f00e55a887d14b257c8cf08f1e0

SHA512
e7d12840658c4779eeabe5fc39d20044e8f7e502fd719c1c1291a94c60a52e5f5f51de5bb1c45103ba13595dd45ce4ec110348ba0b30fdaeacc9292601d5eeb1

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\bjqcn.cc3

Filesize
3.2MB

MD5
7f32d1c2db6ae2f0265afc21896fdeff

SHA1
dbb771589aa072c2053e9035b1f59ebb1f29e324

SHA256
a30a62ddfdcb8bc419524ba7e626033e9f25db5885045c319ea9150cef7848d4

SHA512
dd82b791a9e95c8741c935ce5b57d5a744476a15f9332997cbfc91c62362005fe292e4694b630c5bba4a5b4cb53c88748e8be59a4543c83d26774071be26e468

Download Submit
\??\c:\users\admin\appdata\local\esqduhxrtm

Filesize
336KB

MD5
0b30ff178ba154faa0234969eb44a941

SHA1
58a620e6ac8e9d109842a9b75e881ea6259b9620

SHA256
92e93c7dea646c064a0f282875b099e7e9c489de099622fef7df494e942d25c7

SHA512
a82ebd2ce625ec3deb41ea053c6c1d79a5f125b5ffee94feb32c0c38ca444db3319b1867c91195f94cc4d1002cb14cb64d2c85c48a55ce854d0004a8526e8175

Download Submit
\ProgramData\Storm\update\%SESSIONNAME%\bjqcn.cc3

Filesize
3.2MB

MD5
9e935afe4219405440480db987184eb0

SHA1
c26c319813b81c2a6fff1bac7cb4303b867b7a8c

SHA256
5f4bfe9017bd149578b20de349ad558cb3538d977b2c82a23e2c1a7e4aff3415

SHA512
1dd0d43235747d8ef9e4fcbaf3869e5e1a2b59a500a5f12ee5a6823e43e4ff2083594c01e9e16d608b5fe0cb030b7a4adb36847d16231d86906533f715fafe9d

Download Submit
\Users\Admin\AppData\Local\esqduhxrtm

Filesize
1.8MB

MD5
88af712a14e3578758fbf9a92ac6ccca

SHA1
1a51bc870e06991cce049903fe24d354aec4042e

SHA256
21fb27a1ce0d29d4c4c9adf975ea069872fbdeee2d6fda90e2fe9dde75900f4c

SHA512
38b55994ad228718c67300bf8ac00d0d07d8eb6fd0f2c51478f7f90f3aafdfa08caadf488ed315b47399ee5e8256b74b33aeeb3a2a9a67436dcf9fa7d75bfeb6

Download Submit
memory/1988-8-0x0000000000370000-0x00000000003BF000-memory.dmp

Filesize
316KB

Download
memory/1988-10-0x0000000000400000-0x000000000044E404-memory.dmp

Filesize
313KB

Download
memory/1988-0-0x0000000000400000-0x000000000044E404-memory.dmp

Filesize
313KB

Download
memory/1988-3-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/1988-1-0x0000000000230000-0x000000000027F000-memory.dmp

Filesize
316KB

Download
memory/2516-14-0x0000000000400000-0x000000000044E404-memory.dmp

Filesize
313KB

Download
memory/2516-19-0x0000000000400000-0x000000000044E404-memory.dmp

Filesize
313KB

Download
memory/3020-20-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads