gh0strat | f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f

General

Target

f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe
Size

157KB
MD5

ff9409140eade15c0688e4e3c9979491
SHA1

92d7b0d4f4dd327b5b09f3acde222788c97aabcf
SHA256

f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f
SHA512

506f975e44912a764f218feb4ffc0ab8b3c3ff71dca386b58308851130399779e5bc3548404df77fe264952b582f3cfb11c075ace40c66d6c40622dd028571d6
SSDEEP

3072:LMx5+9Tj144UtgIY/IGFmVt4+eGpIeFOOtPbnKh0iJhakVZkS8q4MFJD703q:A8J144K96Ih4+ppIetPbKNhakVZWMFNn

Score

10^/10

gh0strat discovery persistence rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/1644-19-0x0000000000400000-0x000000000046C000-memory.dmp	family_gh0strat
behavioral1/memory/5520-18-0x0000000000400000-0x000000000046C000-memory.dmp	family_gh0strat
behavioral1/memory/5240-23-0x0000000000400000-0x000000000046C000-memory.dmp	family_gh0strat
behavioral1/memory/5348-25-0x0000000000400000-0x000000000046C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Executes dropped EXE 3 IoCs

pid	Process
5348	svchost.exe
1644	Update.exe
5520	svchost.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/5240-0-0x0000000000400000-0x000000000046C000-memory.dmp	vmprotect
behavioral1/files/0x00070000000241c4-7.dat	vmprotect
behavioral1/memory/1644-19-0x0000000000400000-0x000000000046C000-memory.dmp	vmprotect
behavioral1/memory/5520-18-0x0000000000400000-0x000000000046C000-memory.dmp	vmprotect
behavioral1/memory/5520-15-0x0000000000400000-0x000000000046C000-memory.dmp	vmprotect
behavioral1/memory/5240-23-0x0000000000400000-0x000000000046C000-memory.dmp	vmprotect
behavioral1/memory/5348-25-0x0000000000400000-0x000000000046C000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\duowan = "C:\\WINDOWS\\Update.exe"	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\afc9fe2f418b00a0.bat	Update.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\Update.exe	svchost.exe
File opened for modification	C:\WINDOWS\Update.exe	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process
4948	5348	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5240	f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe
5240	f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe
5348	svchost.exe
5348	svchost.exe
5348	svchost.exe
5348	svchost.exe
5348	svchost.exe
5348	svchost.exe
5348	svchost.exe
5348	svchost.exe
5348	svchost.exe
5348	svchost.exe
1644	Update.exe
1644	Update.exe
5520	svchost.exe
5520	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5348	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5348	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5240 wrote to memory of 5348	5240	f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe	85
PID 5240 wrote to memory of 5348	5240	f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe	85
PID 5240 wrote to memory of 5348	5240	f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe	85
PID 4412 wrote to memory of 1644	4412	cmd.exe	88
PID 4412 wrote to memory of 1644	4412	cmd.exe	88
PID 4412 wrote to memory of 1644	4412	cmd.exe	88
PID 1644 wrote to memory of 5520	1644	Update.exe	89
PID 1644 wrote to memory of 5520	1644	Update.exe	89
PID 1644 wrote to memory of 5520	1644	Update.exe	89
PID 1644 wrote to memory of 2000	1644	Update.exe	91
PID 1644 wrote to memory of 2000	1644	Update.exe	91
PID 1644 wrote to memory of 2000	1644	Update.exe	91
PID 5240 wrote to memory of 4244	5240	f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe	112
PID 5240 wrote to memory of 4244	5240	f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe	112
PID 5240 wrote to memory of 4244	5240	f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe	112

C:\Users\Admin\AppData\Local\Temp\f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe
"C:\Users\Admin\AppData\Local\Temp\f8d7d9a72bcab06b302f38c33a563988452dde8c8bfa4d67bbaffc32dd983c7f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5240
- C:\Users\Admin\AppData\Local\Temp\duowan\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\duowan\svchost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:5348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 684
    3⤵
    - Program crash
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\Update.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\WINDOWS\Update.exe
  C:\WINDOWS\Update.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\duowan\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\duowan\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5348 -ip 5348
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SVCHOST.SCR

Filesize
157KB

MD5
78caf40dc1be94514cfb9493a5eddd67

SHA1
1f42fb8fe1950d6e05a2d4e3305405dc56576aa7

SHA256
8c843b26d42386195e9348bce45f5683fa4bc99a8ff1bb3499fc93f1d48e464a

SHA512
85f93c5cf1eddbaafc6b0a22c48a30bc627676d019049cd551dcea9640a0b8d3e09c787de6ae1413ad98201b136d627b6bf75e22874e0449ed7d72bce1d86caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
1dd70f86515dd65f1bc9d111afb65861

SHA1
cb135181d720c55883acad1ed1569ffb95f1e853

SHA256
5662ec8eb46e1126ecc207fbe9ed292e136103053711c36be177d6c4bd073280

SHA512
6e87cf2f32e14ddd1b080ca819eafa3cbc2ce62475193b96eda23ec8851c9eda1099bb2600c0cdaaba416fa7659c5780f03bdf1b5625c3fd16c9479ba798b898

Download Submit
C:\Windows\SysWOW64\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
95c9765b4e53af1e83556265b0fd9495

SHA1
2f860e6ff5737a606e23cd3cde6b11565ae54363

SHA256
9d6ae9dcde736b9e7d883e7e929b4d04ec200fd243fcfa59010eba26afe63227

SHA512
6736df1b045c91e91700dcd882110b60a8a832586ebb3d5906dc0d56f1aa4802d9c9037767ae020bb8be9de9eb8a68ea41338a9a6e68e3d30e5c94724a644ef0

Download Submit
memory/1644-19-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5240-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5240-23-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5348-25-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5520-18-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5520-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads