gh0strat | 17fbfee0cd6f164786c1b90fba254a776edf1b917ba7e27484600b70fac949c9

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CF天空VIP V7.8版 8.29 日破解版/天空vip.exe
Size

1.3MB
MD5

27f4e7a15d2a4624eb6f3adabd70e97d
SHA1

9c2eafe637e33fd260cee1d65f3d7a113256c7f6
SHA256

d49ab1f371ffc533a82826611c042a83458f49a82b3a57e35e5cea8b15aca98b
SHA512

3055a4293578b346fe3c83d161285b4f78cd13a586f0e91231cf0c09aa3b3e2563577733eddb6381ce126f0a5a0120e4bbd1eb8522bf3e8860d24ac65e29637c
SSDEEP

24576:3ZIJ8lG4o3PE+WGEky00Eyb/LOh7FTVLYyMrc7LcvOrZfJoM0FQm9NsWTVVRuxqL:9lG4ofRC00Eyja7jYmLvoM0z7uxSd

Score

10^/10

gh0strat bootkit discovery persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001225c-3.dat	family_gh0strat
behavioral1/files/0x0003000000018334-68.dat	family_gh0strat
behavioral1/files/0x0008000000018b89-75.dat	family_gh0strat
behavioral1/memory/1292-78-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Executes dropped EXE 3 IoCs

pid	Process
2288	server.exe
2816	天空vip.exe
2440	hyifwkpmgv

Loads dropped DLL 8 IoCs

pid	Process
2380	天空vip.exe
2380	天空vip.exe
2380	天空vip.exe
2288	server.exe
2288	server.exe
2288	server.exe
2288	server.exe
1292	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ikpgaljoxu	svchost.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2816-20-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-53-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-51-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-65-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-63-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-61-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-59-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-57-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-55-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-49-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-47-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-46-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-43-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-42-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-39-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-37-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-35-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-33-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-31-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-29-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-27-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-25-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-24-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-23-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2816-22-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	天空vip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	天空vip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hyifwkpmgv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	2816	天空vip.exe
Token: SeIncBasePriorityPrivilege	2816	天空vip.exe
Token: 33	2816	天空vip.exe
Token: SeIncBasePriorityPrivilege	2816	天空vip.exe
Token: 33	2816	天空vip.exe
Token: SeIncBasePriorityPrivilege	2816	天空vip.exe
Token: SeRestorePrivilege	2440	hyifwkpmgv
Token: SeBackupPrivilege	2440	hyifwkpmgv
Token: SeBackupPrivilege	2440	hyifwkpmgv
Token: SeRestorePrivilege	2440	hyifwkpmgv
Token: 33	2816	天空vip.exe
Token: SeIncBasePriorityPrivilege	2816	天空vip.exe
Token: SeBackupPrivilege	1292	svchost.exe
Token: SeRestorePrivilege	1292	svchost.exe
Token: SeBackupPrivilege	1292	svchost.exe
Token: SeBackupPrivilege	1292	svchost.exe
Token: SeSecurityPrivilege	1292	svchost.exe
Token: SeSecurityPrivilege	1292	svchost.exe
Token: SeBackupPrivilege	1292	svchost.exe
Token: SeBackupPrivilege	1292	svchost.exe
Token: SeSecurityPrivilege	1292	svchost.exe
Token: SeBackupPrivilege	1292	svchost.exe
Token: SeBackupPrivilege	1292	svchost.exe
Token: SeSecurityPrivilege	1292	svchost.exe
Token: SeBackupPrivilege	1292	svchost.exe
Token: SeRestorePrivilege	1292	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2816	天空vip.exe
2816	天空vip.exe
2816	天空vip.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2288	2380	天空vip.exe	29
PID 2380 wrote to memory of 2288	2380	天空vip.exe	29
PID 2380 wrote to memory of 2288	2380	天空vip.exe	29
PID 2380 wrote to memory of 2288	2380	天空vip.exe	29
PID 2380 wrote to memory of 2288	2380	天空vip.exe	29
PID 2380 wrote to memory of 2288	2380	天空vip.exe	29
PID 2380 wrote to memory of 2288	2380	天空vip.exe	29
PID 2380 wrote to memory of 2816	2380	天空vip.exe	30
PID 2380 wrote to memory of 2816	2380	天空vip.exe	30
PID 2380 wrote to memory of 2816	2380	天空vip.exe	30
PID 2380 wrote to memory of 2816	2380	天空vip.exe	30
PID 2288 wrote to memory of 2440	2288	server.exe	31
PID 2288 wrote to memory of 2440	2288	server.exe	31
PID 2288 wrote to memory of 2440	2288	server.exe	31
PID 2288 wrote to memory of 2440	2288	server.exe	31
PID 2288 wrote to memory of 2440	2288	server.exe	31
PID 2288 wrote to memory of 2440	2288	server.exe	31
PID 2288 wrote to memory of 2440	2288	server.exe	31

C:\Users\Admin\AppData\Local\Temp\CF天空VIP V7.8版 8.29 日破解版\天空vip.exe
"C:\Users\Admin\AppData\Local\Temp\CF天空VIP V7.8版 8.29 日破解版\天空vip.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - \??\c:\users\admin\appdata\local\hyifwkpmgv
    "C:\Users\Admin\AppData\Local\Temp\server.exe" a -sc:\users\admin\appdata\local\temp\server.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- C:\Users\Admin\AppData\Local\Temp\天空vip.exe
  "C:\Users\Admin\AppData\Local\Temp\天空vip.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\天空vip.exe

Filesize
2.1MB

MD5
728080054e4108c4244e9d240c1bbc99

SHA1
8d60c0102a534695c58ab4e738bf24772c2d90ae

SHA256
d3e00e23521c92e28b19d7c77a866eb531a45c03297dd275808a632117771b04

SHA512
40f8823dce900383df2be43969ad161631d1a6ae7b57d7330453e743cfc9ff620fec718a992982ba9e070324e3a8fe3daa69e4f33a86d62feaa82c83cd193efd

Download Submit
\??\c:\programdata\drm\%sessionname%\fndsr.cc3

Filesize
19.1MB

MD5
be861854860a28719f189c0d0268addc

SHA1
0d649e41db68d1fab2ea6bd6ff970fdc0f9acd40

SHA256
6e392fd2619038ae728c6985cf4760a2f40e5e3ab75c0a90539abcaafb198c60

SHA512
06190f2ddfda939156605cd66474f7e1131195cd195b0e7d2e00859922e9d23a81ffb80a0651571e7f559ae3eb48f56f1b48f4b18cbeb5174ae33b47bc624967

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
196KB

MD5
6143117050965152ba482b72c75768fb

SHA1
c13234982f9818b6679c56e24b13c181deee417b

SHA256
da66601f0b0b62302f0f4b99df958ac417f6d271715afaebf8313154a8059175

SHA512
52a8f542ab52725c4f3c6b014a36164691af9b5a95f72c4a35bcc91c90ebff825417a28a1a4015bcb684f3a79623e0bfaddf7ed9e4ba134c3f702aacaf17d51f

Download Submit
\Users\Admin\AppData\Local\hyifwkpmgv

Filesize
21.9MB

MD5
356767a2fb3ffef376ff0c34fa700b96

SHA1
d2fa249e61527a52b4c114a8498329129794206e

SHA256
38dc21f9026cc44ca5a890cb8c345f27c7768ef0a0f2dd52ff337e1bc136da99

SHA512
c8f085b08aec1fd16cb180011681c744949f2d85ebb58a0afe8531610cd8427128fdfc50d8c63ed36a98f6b8b6df9b4e570047203aa485a496bf3fba5f716794

Download Submit
memory/1292-78-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1292-77-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2380-0-0x0000000000220000-0x00000000002CC000-memory.dmp

Filesize
688KB

Download
memory/2816-42-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-33-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-59-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-57-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-55-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-49-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-47-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-46-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-43-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-63-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-39-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-37-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-35-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-61-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-31-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-29-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-27-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-25-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-24-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-23-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-22-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-65-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-51-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-53-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2816-20-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download