gh0strat | e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b

General

Target

e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
Size

156KB
MD5

638d922d3a1acb3756dda409b8b50700
SHA1

6c416852f4c750931281b76fa6e69a9996da7882
SHA256

e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b
SHA512

a5e400a843be5b102be00a5fb30f96970d7b18f2f2259fadd2c6e721461ceacd0239737f05bfae6348887d03e5c81f89505e28cd75d09e5c6240607acb325d6a
SSDEEP

3072:dVZd5rnmoWOQrkdJv5hMFULTvtcMk8Lyji8lkivl05Kui+ITqn:dXd5rmoWOQsJRG4GMkSQi8Tvl05KuDIk

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-57.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-60.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-59.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-61.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-62.dat	family_gh0strat
behavioral1/files/0x00090000000122ff-65.dat	family_gh0strat
behavioral1/files/0x00090000000122ff-66.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1644	incgzwjvl.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{kstneone-illo-fogd-pfej-vmggrkatiafp}	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{kstneone-illo-fogd-pfej-vmggrkatiafp}\ = "ÏµÍ³ÉèÖÃ"	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{kstneone-illo-fogd-pfej-vmggrkatiafp}\stubpath = "C:\\Windows\\System32\\incgzwjvl.exe"	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe

Loads dropped DLL 5 IoCs

pid	Process
1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
1644	incgzwjvl.exe
1644	incgzwjvl.exe
1644	incgzwjvl.exe
996	userinit.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\incgzwjvl.exe	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
File created	C:\Windows\SysWOW64\incgzwjvl.exe_lang.ini	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
File opened for modification	C:\Windows\SysWOW64\incgzwjvl.exe_lang.ini	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
1644	incgzwjvl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
Token: SeDebugPrivilege	1644	incgzwjvl.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1644	1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe	28
PID 1680 wrote to memory of 1644	1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe	28
PID 1680 wrote to memory of 1644	1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe	28
PID 1680 wrote to memory of 1644	1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe	28
PID 1680 wrote to memory of 1644	1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe	28
PID 1680 wrote to memory of 1644	1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe	28
PID 1680 wrote to memory of 1644	1680	e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe	28
PID 1644 wrote to memory of 996	1644	incgzwjvl.exe	29
PID 1644 wrote to memory of 996	1644	incgzwjvl.exe	29
PID 1644 wrote to memory of 996	1644	incgzwjvl.exe	29
PID 1644 wrote to memory of 996	1644	incgzwjvl.exe	29
PID 1644 wrote to memory of 996	1644	incgzwjvl.exe	29
PID 1644 wrote to memory of 996	1644	incgzwjvl.exe	29
PID 1644 wrote to memory of 996	1644	incgzwjvl.exe	29
PID 1644 wrote to memory of 996	1644	incgzwjvl.exe	29

C:\Users\Admin\AppData\Local\Temp\e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe
"C:\Users\Admin\AppData\Local\Temp\e1691bda323c46c3dd3926b242861fb88452191742395365c48c38a454da916b.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\incgzwjvl.exe
  C:\Windows\System32\incgzwjvl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    - Loads dropped DLL
    PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7090417_lang.dll

Filesize
114KB

MD5
7a85ba37dc260fe2c5965a5dd8b871ec

SHA1
9bc76aeb32f7ade4d08bb31bec8e4ff2d13f7a95

SHA256
07203b92e94a485a3c8adb42da363af75071035390cdd8e80bf4bf0606f3582e

SHA512
81f854722b3de801e38436bd74c8a3a6ba2e49e9087bfa3146affc853a8041a357288396ed2b1c3f1ebcfbcfffb6a86d6c05ee75c5223ccbfcd52ee238afaf03

Download Submit
C:\Windows\SysWOW64\incgzwjvl.exe

Filesize
156KB

MD5
28f55b69fd74a9bfc691b96b1f02bcd0

SHA1
992861ea3ba51aecbb2a9546e663770ff3db8fb0

SHA256
92ac673b00e9cd7d77af3bc78a4acbce00fbbc04e61acb0fe9d79807d7dbc3c2

SHA512
b8704be0f88704457395c0bf9cd7864ee9b9339c38bd1af5c9f54b113bf88d9f78803147a018ea69704355eaebec4ea0dd33b351d9165db83f33a096a834f243

Download Submit
C:\Windows\SysWOW64\incgzwjvl.exe

Filesize
156KB

MD5
28f55b69fd74a9bfc691b96b1f02bcd0

SHA1
992861ea3ba51aecbb2a9546e663770ff3db8fb0

SHA256
92ac673b00e9cd7d77af3bc78a4acbce00fbbc04e61acb0fe9d79807d7dbc3c2

SHA512
b8704be0f88704457395c0bf9cd7864ee9b9339c38bd1af5c9f54b113bf88d9f78803147a018ea69704355eaebec4ea0dd33b351d9165db83f33a096a834f243

Download Submit
\Users\Admin\AppData\Local\Temp\7090417_lang.dll

Filesize
114KB

MD5
7a85ba37dc260fe2c5965a5dd8b871ec

SHA1
9bc76aeb32f7ade4d08bb31bec8e4ff2d13f7a95

SHA256
07203b92e94a485a3c8adb42da363af75071035390cdd8e80bf4bf0606f3582e

SHA512
81f854722b3de801e38436bd74c8a3a6ba2e49e9087bfa3146affc853a8041a357288396ed2b1c3f1ebcfbcfffb6a86d6c05ee75c5223ccbfcd52ee238afaf03

Download Submit
\Windows\SysWOW64\incgzwjvl.exe

Filesize
156KB

MD5
28f55b69fd74a9bfc691b96b1f02bcd0

SHA1
992861ea3ba51aecbb2a9546e663770ff3db8fb0

SHA256
92ac673b00e9cd7d77af3bc78a4acbce00fbbc04e61acb0fe9d79807d7dbc3c2

SHA512
b8704be0f88704457395c0bf9cd7864ee9b9339c38bd1af5c9f54b113bf88d9f78803147a018ea69704355eaebec4ea0dd33b351d9165db83f33a096a834f243

Download Submit
\Windows\SysWOW64\incgzwjvl.exe

Filesize
156KB

MD5
28f55b69fd74a9bfc691b96b1f02bcd0

SHA1
992861ea3ba51aecbb2a9546e663770ff3db8fb0

SHA256
92ac673b00e9cd7d77af3bc78a4acbce00fbbc04e61acb0fe9d79807d7dbc3c2

SHA512
b8704be0f88704457395c0bf9cd7864ee9b9339c38bd1af5c9f54b113bf88d9f78803147a018ea69704355eaebec4ea0dd33b351d9165db83f33a096a834f243

Download Submit
\Windows\SysWOW64\incgzwjvl.exe

Filesize
156KB

MD5
28f55b69fd74a9bfc691b96b1f02bcd0

SHA1
992861ea3ba51aecbb2a9546e663770ff3db8fb0

SHA256
92ac673b00e9cd7d77af3bc78a4acbce00fbbc04e61acb0fe9d79807d7dbc3c2

SHA512
b8704be0f88704457395c0bf9cd7864ee9b9339c38bd1af5c9f54b113bf88d9f78803147a018ea69704355eaebec4ea0dd33b351d9165db83f33a096a834f243

Download Submit
\Windows\SysWOW64\incgzwjvl.exe

Filesize
156KB

MD5
28f55b69fd74a9bfc691b96b1f02bcd0

SHA1
992861ea3ba51aecbb2a9546e663770ff3db8fb0

SHA256
92ac673b00e9cd7d77af3bc78a4acbce00fbbc04e61acb0fe9d79807d7dbc3c2

SHA512
b8704be0f88704457395c0bf9cd7864ee9b9339c38bd1af5c9f54b113bf88d9f78803147a018ea69704355eaebec4ea0dd33b351d9165db83f33a096a834f243

Download Submit
memory/1680-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing