Blacklisted IP (Gh0st RAT) Analysis

Blacklisted IP (Gh0st RAT) Analysis

Ongoing analysis of Gh0st RAT

Blacklisted IP: 23[.]225.73.110

Risk Score: 10

Confidence Level: High

Associated Malware: Gh0st RAT

Function: Gh0st RAT C&C

ITW Associations: EMISSARY PANDA, Hurricane Panda, Lazarus Group, Leviathan, Stone Panda

Associated Hash (MD5): c61470df88115bd1c14540652f48ef49

File Name: svchsot.exe

DeCyfir presence: Yes

About Gh0st RAT: Gh0st RAT is a unique example of a RAT (Remote Access Trojan) which is mostly used by Chinese Threat Actor groups.  The RAT has multiple capabilities including:

  • Control of the remote screen on the infected bot.
  • Real time as well as offline keylogging.
  • Provides live feed of webcam and microphone of infected host.
  • Download remote binaries on the infected remote host.
  • Control of remote shutdown and reboot of host.
  • Disable infected computer remote pointer and keyboard input.
  • Enter the shell of remote infected host with full control.
  • Provide a list of all the active processes.
  • Clear all existing SSDT (System Service Dispatch Table) of all existing hooks.

Gh0st RAT is also known to be used to install a cryptocurrency miner on the victim machines.

Target Industries: Government Agencies, Embassies, Foreign Ministries, Military Offices

Target Region: Southern and South-East Asian Countries

Distribution: Spear-Phishing, EternalBlue SMB Exploit, Via Daserf Malware

 

Associated Hash Analysis:

File name: svchsot.exe

MD5: c61470df88115bd1c14540652f48ef49

SHA1: d3d39e2ff6b8f9d8d04d72385b48fc1cc3429407

SHA256: 2d29648e8ef3eb8e7dcb9632359d315ecabee7c32a0c3f3f622b124fd7c07da1

 

The Gh0st RAT dropper arrives on a victim machine primarily via and EternalBlue/DoublePulsar Exploit. The dropper executable is then launched and it decrypts and loads the Gh0stRAT DLL into memory.

 

Static Analysis Information:

    • EXE:
    • MachineType:   Intel 80386, for MS Windows
    • PEType:              PE32
    • EntryPoint:        0x4290
    • Subsystem:        Windows GUI

 

    • TRiD:
    • .exe |   Win32 Executable MS Visual C++
    •  .exe |   Win64 Executable
    • .scr |   Windows screen saver
    • .dll |   Win32 Dynamic Link Library
    • .exe |   Win32 Executable
    • Imports:
    • Kernel32.dll

Behaviour Analysis Information:

Process Flow:

svchsot.exe

– Changes the autorun value in the registry (Malicious)

– Connects to CnC server (Malicious)

– Gh0st was detected (Malicious)

Reads the computer name (Suspicious)

Checks supported languages (Suspicious)

– Reads CPU Info (Suspicious)

 

Network Analysis Information: 

Function Protocol Process Name IP Port Domain/URL
C&C HTTP svchsot.exe 23.225.73.110 8000 www.wk1888.com

 

MITRE ATT&CK Techniques: 

Execution Discovery
T1129 – Shared Modules

Signature – dropper

 

 

T1057 – Process Discovery

Signature -process_interest

 

 

Check back this page for further analysis.