gh0strat | c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Resubmissions

02-01-2025 21:33

250102-1ejbvswpcv 10

08-12-2024 01:12

241208-bkq68azkep 10

Analysis

max time kernel
144s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dhl.exe
Size

378KB
MD5

a770ebf2e59e29c7460a01241a0a493f
SHA1

97e59e483e1fa524a305828157a50203e918ada9
SHA256

ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
SHA512

4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
SSDEEP

6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral19/memory/2996-0-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral19/files/0x0005000000019d8c-11.dat	family_gh0strat
behavioral19/memory/2996-12-0x0000000000750000-0x0000000000783000-memory.dmp	family_gh0strat
behavioral19/memory/2996-18-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral19/memory/1368-25-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral19/memory/1368-16-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral19/files/0x000600000001a06a-28.dat	family_gh0strat
behavioral19/memory/1368-31-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat
behavioral19/memory/2760-33-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral19/files/0x0009000000012281-5.dat	acprotect

Deletes itself 1 IoCs

pid	Process
1368	ipjcvjpqbi

Executes dropped EXE 1 IoCs

pid	Process
1368	ipjcvjpqbi

Loads dropped DLL 4 IoCs

pid	Process
2996	dhl.exe
2996	dhl.exe
1368	ipjcvjpqbi
2760	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xnuefwloye	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipjcvjpqbi
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1368	ipjcvjpqbi
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	1368	ipjcvjpqbi
Token: SeBackupPrivilege	1368	ipjcvjpqbi
Token: SeBackupPrivilege	1368	ipjcvjpqbi
Token: SeRestorePrivilege	1368	ipjcvjpqbi
Token: SeBackupPrivilege	2760	svchost.exe
Token: SeRestorePrivilege	2760	svchost.exe
Token: SeBackupPrivilege	2760	svchost.exe
Token: SeBackupPrivilege	2760	svchost.exe
Token: SeSecurityPrivilege	2760	svchost.exe
Token: SeSecurityPrivilege	2760	svchost.exe
Token: SeBackupPrivilege	2760	svchost.exe
Token: SeBackupPrivilege	2760	svchost.exe
Token: SeSecurityPrivilege	2760	svchost.exe
Token: SeBackupPrivilege	2760	svchost.exe
Token: SeBackupPrivilege	2760	svchost.exe
Token: SeSecurityPrivilege	2760	svchost.exe
Token: SeBackupPrivilege	2760	svchost.exe
Token: SeRestorePrivilege	2760	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2996	dhl.exe
1368	ipjcvjpqbi

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1368	2996	dhl.exe	30
PID 2996 wrote to memory of 1368	2996	dhl.exe	30
PID 2996 wrote to memory of 1368	2996	dhl.exe	30
PID 2996 wrote to memory of 1368	2996	dhl.exe	30
PID 2996 wrote to memory of 1368	2996	dhl.exe	30
PID 2996 wrote to memory of 1368	2996	dhl.exe	30
PID 2996 wrote to memory of 1368	2996	dhl.exe	30

C:\Users\Admin\AppData\Local\Temp\dhl.exe
"C:\Users\Admin\AppData\Local\Temp\dhl.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- \??\c:\users\admin\appdata\local\ipjcvjpqbi
  "C:\Users\Admin\AppData\Local\Temp\dhl.exe" a -sc:\users\admin\appdata\local\temp\dhl.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\drm\%sessionname%\revim.cc3

Filesize
19.0MB

MD5
2fc38025e5834155b20a2d8af4ed6d93

SHA1
e79b3b49632862eee0f3a64be6b5f7137c44077b

SHA256
9516511c8c29041a6d91910adcd1472cd315d0994436f5cd43702a0d643713f7

SHA512
1b7e8a43a4440e4b78ee9959b4017b1f5758109a40b44eaef1282a86dc66f1183e1c0fcda77e9b0602199e301585dbb2fa814636b96ccd718b36b1f6cdb84aab

Download Submit
\Users\Admin\AppData\Local\Temp\rulC8AC.tmp

Filesize
172KB

MD5
4f407b29d53e9eb54e22d096fce82aa7

SHA1
a4ee25b066cac19ff679dd491f5791652bb71185

SHA256
cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc

SHA512
325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183

Download Submit
\Users\Admin\AppData\Local\ipjcvjpqbi

Filesize
24.4MB

MD5
f15ff30cbd372b1593221274456a2aa5

SHA1
41e4ab2adf864bf49f2d95ab13490ef2cd443b7e

SHA256
cb98ff5789902a0d917eaf9d45d3f4ff6d8a0ef85661263f158d4419c722ae13

SHA512
64cd379b8f9cc315e42e215df472e31fcc0a19a413d17b16388dd8bea5bc6f2d5b32ba72db5bfc87a245251bfc4ad3dde512136f72ba2cbec575cf7da3d78082

Download Submit
memory/1368-25-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1368-24-0x0000000000330000-0x00000000003A4000-memory.dmp

Filesize
464KB

Download
memory/1368-30-0x0000000000330000-0x00000000003A4000-memory.dmp

Filesize
464KB

Download
memory/1368-31-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/1368-16-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2760-33-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2760-32-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2996-3-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2996-18-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2996-0-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2996-19-0x0000000000350000-0x00000000003C4000-memory.dmp

Filesize
464KB

Download
memory/2996-1-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2996-12-0x0000000000750000-0x0000000000783000-memory.dmp

Filesize
204KB

Download
memory/2996-2-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2996-8-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2996-7-0x0000000000350000-0x00000000003C4000-memory.dmp

Filesize
464KB

Download