gh0strat | 3f852c0f09007ea12f110306f3d4d27678032e9082242a8f3d291f4561286f11

General

Target

setups.exe
Size

22.6MB
MD5

d6437b34d2f4ebc283dba35fa11fec25
SHA1

cf4ede6cff02f7d43362e1a7c87657fa6099842d
SHA256

1a849f51b091f22e8949ca92f5e99482bd3d9202c76fa27afd209f0e21b46bcc
SHA512

02524b129c33b1e2c378fc46d9f1bf98f5422c1b4bac6fae9bbce46cba9a762970dc93a643c41aaefcafe43734fdba3ba8e78227dd559b3c3f135085f31e4cff
SSDEEP

6144:lUrJnWqbUNZFXXp1pvpGFd7XDda328nnnnnnR:qlWqYvMFJUma

Score

10^/10

gh0strat bootkit discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000186ea-12.dat	family_gh0strat
behavioral1/memory/2820-15-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2820-17-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Deletes itself 1 IoCs

pid	Process
2140	gulmrdlqfw

Executes dropped EXE 1 IoCs

pid	Process
2140	gulmrdlqfw

Loads dropped DLL 3 IoCs

pid	Process
2420	setups.exe
2420	setups.exe
2820	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\crsvekfwyy	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\Date\I%SESSIONNAME%\jeypj.cc3	gulmrdlqfw

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setups.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gulmrdlqfw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2140	gulmrdlqfw
2820	svchost.exe
2820	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2140	gulmrdlqfw
Token: SeBackupPrivilege	2140	gulmrdlqfw
Token: SeBackupPrivilege	2140	gulmrdlqfw
Token: SeRestorePrivilege	2140	gulmrdlqfw
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeRestorePrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeSecurityPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	2820	svchost.exe
Token: SeRestorePrivilege	2820	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2140	2420	setups.exe	30
PID 2420 wrote to memory of 2140	2420	setups.exe	30
PID 2420 wrote to memory of 2140	2420	setups.exe	30
PID 2420 wrote to memory of 2140	2420	setups.exe	30
PID 2420 wrote to memory of 2140	2420	setups.exe	30
PID 2420 wrote to memory of 2140	2420	setups.exe	30
PID 2420 wrote to memory of 2140	2420	setups.exe	30

C:\Users\Admin\AppData\Local\Temp\setups.exe
"C:\Users\Admin\AppData\Local\Temp\setups.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- \??\c:\users\admin\appdata\local\gulmrdlqfw
  "C:\Users\Admin\AppData\Local\Temp\setups.exe" a -sc:\users\admin\appdata\local\temp\setups.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files (x86)\winrar\formats\date\i%sessionname%\jeypj.cc3

Filesize
19.1MB

MD5
9f00c413fcf7bb4d7ec7b3f048a298f3

SHA1
b50ed298ae280d2db69cf27000002f26fca9c30d

SHA256
05430e137b1158d4e3f1279df1921db336b29edbecc5e57b98871f2fa01422f7

SHA512
16a9255c8510961c8c3c918b3c34e17baa61df52c5312c045c319be68b71d9230edc89eba7ee730139e73a64da0a664d9f3cdcac767103b1039d421f8a877a67

Download Submit
\Users\Admin\AppData\Local\gulmrdlqfw

Filesize
22.6MB

MD5
87a84116b8b9349d29464ea731bfeb95

SHA1
7fed7971e4e9d71af5d5563e80c21a8198501b02

SHA256
60ae47dfce97701d6a962b667afeadf6501dc5bb970026a8f628cc5ddfc57030

SHA512
b0ee12fd72afb8da87f11e36badef40f3c3d83b9c91e826139ddc5a02285c8068721faecf5ec8668870aa36fc14e1c2d8c7c39530629d242d33cb634d0d9a951

Download Submit
memory/2820-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2820-15-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2820-17-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads