gh0strat | e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf

General

Target

e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Size

156KB
MD5

1710258343ac8af4dae7b976125f119f
SHA1

c69a8f32b03fb5630ba33be642fcff4a756f8cec
SHA256

e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf
SHA512

51bf5c9c4f797b755b7e080a31eecdbd74f352472a362a8133d584f6de569ecce11b764d46f8176162c49ee181820a1ba44005149dbe1a80684fb89e3f1db0c9
SSDEEP

3072:dVZd5rnmoWOQrkdJv5hMFULTvtcMk8Lyji8lkivl05K3i+ITqn:dXd5rmoWOQsJRG4GMkSQi8Tvl05K3DIk

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-57.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-60.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-61.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-59.dat	family_gh0strat
behavioral1/files/0x0008000000005c51-62.dat	family_gh0strat
behavioral1/files/0x0007000000014219-65.dat	family_gh0strat
behavioral1/files/0x0007000000014219-66.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
840	inatwyxqd.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{zemdnoqn-tixy-ycfe-sili-iajhsojsicyt}	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{zemdnoqn-tixy-ycfe-sili-iajhsojsicyt}\ = "ÏµÍ³ÉèÖÃ"	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{zemdnoqn-tixy-ycfe-sili-iajhsojsicyt}\stubpath = "C:\\Windows\\System32\\inatwyxqd.exe"	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe

Loads dropped DLL 5 IoCs

pid	Process
1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
840	inatwyxqd.exe
840	inatwyxqd.exe
840	inatwyxqd.exe
268	userinit.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inatwyxqd.exe_lang.ini	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
File created	C:\Windows\SysWOW64\inatwyxqd.exe	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
File created	C:\Windows\SysWOW64\inatwyxqd.exe_lang.ini	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
840	inatwyxqd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Token: SeDebugPrivilege	840	inatwyxqd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 840	1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	27
PID 1252 wrote to memory of 840	1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	27
PID 1252 wrote to memory of 840	1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	27
PID 1252 wrote to memory of 840	1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	27
PID 1252 wrote to memory of 840	1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	27
PID 1252 wrote to memory of 840	1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	27
PID 1252 wrote to memory of 840	1252	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	27
PID 840 wrote to memory of 268	840	inatwyxqd.exe	28
PID 840 wrote to memory of 268	840	inatwyxqd.exe	28
PID 840 wrote to memory of 268	840	inatwyxqd.exe	28
PID 840 wrote to memory of 268	840	inatwyxqd.exe	28
PID 840 wrote to memory of 268	840	inatwyxqd.exe	28
PID 840 wrote to memory of 268	840	inatwyxqd.exe	28
PID 840 wrote to memory of 268	840	inatwyxqd.exe	28
PID 840 wrote to memory of 268	840	inatwyxqd.exe	28

C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
"C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\inatwyxqd.exe
  C:\Windows\System32\inatwyxqd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    - Loads dropped DLL
    PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7090682_lang.dll

Filesize
114KB

MD5
14a6735ae8eaf17c6f65d4097047aeda

SHA1
22d735ea40c7f91568ef180c0175eac249b11606

SHA256
7865fd60ab475de06cfcbe1bb9debfc34cfa67a55cf0591e323bd10776328505

SHA512
734e12040cb34731a3de27c57d396d9dab14c7cbc9cbca95f8afd3348ee6d889a69f6bbf17963e21df21f99277b11da23c8a66566d4c3e3c05444e22826bf4c9

Download Submit
C:\Windows\SysWOW64\inatwyxqd.exe

Filesize
156KB

MD5
c4f78d1a08f9d3007d5b5bfb9df116bc

SHA1
39dae566d50ffd72b3c68ce097d1b7f1456faa7a

SHA256
72f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435

SHA512
5aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a

Download Submit
C:\Windows\SysWOW64\inatwyxqd.exe

Filesize
156KB

MD5
c4f78d1a08f9d3007d5b5bfb9df116bc

SHA1
39dae566d50ffd72b3c68ce097d1b7f1456faa7a

SHA256
72f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435

SHA512
5aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a

Download Submit
\Users\Admin\AppData\Local\Temp\7090682_lang.dll

Filesize
114KB

MD5
14a6735ae8eaf17c6f65d4097047aeda

SHA1
22d735ea40c7f91568ef180c0175eac249b11606

SHA256
7865fd60ab475de06cfcbe1bb9debfc34cfa67a55cf0591e323bd10776328505

SHA512
734e12040cb34731a3de27c57d396d9dab14c7cbc9cbca95f8afd3348ee6d889a69f6bbf17963e21df21f99277b11da23c8a66566d4c3e3c05444e22826bf4c9

Download Submit
\Windows\SysWOW64\inatwyxqd.exe

Filesize
156KB

MD5
c4f78d1a08f9d3007d5b5bfb9df116bc

SHA1
39dae566d50ffd72b3c68ce097d1b7f1456faa7a

SHA256
72f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435

SHA512
5aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a

Download Submit
\Windows\SysWOW64\inatwyxqd.exe

Filesize
156KB

MD5
c4f78d1a08f9d3007d5b5bfb9df116bc

SHA1
39dae566d50ffd72b3c68ce097d1b7f1456faa7a

SHA256
72f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435

SHA512
5aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a

Download Submit
\Windows\SysWOW64\inatwyxqd.exe

Filesize
156KB

MD5
c4f78d1a08f9d3007d5b5bfb9df116bc

SHA1
39dae566d50ffd72b3c68ce097d1b7f1456faa7a

SHA256
72f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435

SHA512
5aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a

Download Submit
\Windows\SysWOW64\inatwyxqd.exe

Filesize
156KB

MD5
c4f78d1a08f9d3007d5b5bfb9df116bc

SHA1
39dae566d50ffd72b3c68ce097d1b7f1456faa7a

SHA256
72f923f35d5af53cccd01fd6979ed97b8a537eadf0e21de3dedc8e45b2cc2435

SHA512
5aeca4f5410c348ee22c9efb5febd8f5ff7b77ddc0fa7a9b391fd03f562d29a58dab3ba98b88c69d4b19fa74a17d279de63f147f4247af8c5ad5a2e87be3e76a

Download Submit
memory/1252-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing