gh0strat | e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf

General

Target

e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Size

156KB
MD5

1710258343ac8af4dae7b976125f119f
SHA1

c69a8f32b03fb5630ba33be642fcff4a756f8cec
SHA256

e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf
SHA512

51bf5c9c4f797b755b7e080a31eecdbd74f352472a362a8133d584f6de569ecce11b764d46f8176162c49ee181820a1ba44005149dbe1a80684fb89e3f1db0c9
SSDEEP

3072:dVZd5rnmoWOQrkdJv5hMFULTvtcMk8Lyji8lkivl05K3i+ITqn:dXd5rmoWOQsJRG4GMkSQi8Tvl05K3DIk

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x001b00000001d9f9-134.dat	family_gh0strat
behavioral2/files/0x001b00000001d9f9-133.dat	family_gh0strat
behavioral2/files/0x000300000001e64d-136.dat	family_gh0strat
behavioral2/files/0x000300000001e64d-137.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4964	inpleqlxa.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{igtln61s-rmi4-bfmk-4770-2btbt0k82b2y}	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{igtln61s-rmi4-bfmk-4770-2btbt0k82b2y}\ = "ÏµÍ³ÉèÖÃ"	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{igtln61s-rmi4-bfmk-4770-2btbt0k82b2y}\stubpath = "C:\\Windows\\System32\\inpleqlxa.exe"	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe

Loads dropped DLL 1 IoCs

pid	Process
524	userinit.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inpleqlxa.exe	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
File created	C:\Windows\SysWOW64\inpleqlxa.exe_lang.ini	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
File opened for modification	C:\Windows\SysWOW64\inpleqlxa.exe_lang.ini	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2508	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
2508	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
4964	inpleqlxa.exe
4964	inpleqlxa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Token: SeDebugPrivilege	4964	inpleqlxa.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4964	2508	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	81
PID 2508 wrote to memory of 4964	2508	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	81
PID 2508 wrote to memory of 4964	2508	e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe	81
PID 4964 wrote to memory of 524	4964	inpleqlxa.exe	82
PID 4964 wrote to memory of 524	4964	inpleqlxa.exe	82
PID 4964 wrote to memory of 524	4964	inpleqlxa.exe	82
PID 4964 wrote to memory of 524	4964	inpleqlxa.exe	82

C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
"C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\inpleqlxa.exe
  C:\Windows\System32\inpleqlxa.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    - Loads dropped DLL
    PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240574609_lang.dll

Filesize
114KB

MD5
84969a0da5920a151b8ae9b4c1afde4c

SHA1
284cb96c3933a99d03b8646d22b451d3f5d90a23

SHA256
31f523ab4050c6d591dde7cd9ed7a23a38bedd1e1a7a410bada2674e368c983e

SHA512
807a215d60a8c3bd19fc27a0c1bfa354c23667106a3611da8a5c78a836cab067a5b5104d33ea1f37a8828ad7ec2d6536ac5d9d73efd9f41091a98090c13a1046

Download Submit
C:\Users\Admin\AppData\Local\Temp\240574609_lang.dll

Filesize
114KB

MD5
84969a0da5920a151b8ae9b4c1afde4c

SHA1
284cb96c3933a99d03b8646d22b451d3f5d90a23

SHA256
31f523ab4050c6d591dde7cd9ed7a23a38bedd1e1a7a410bada2674e368c983e

SHA512
807a215d60a8c3bd19fc27a0c1bfa354c23667106a3611da8a5c78a836cab067a5b5104d33ea1f37a8828ad7ec2d6536ac5d9d73efd9f41091a98090c13a1046

Download Submit
C:\Windows\SysWOW64\inpleqlxa.exe

Filesize
156KB

MD5
0893d226328a4c39bd926eaf9fb56a01

SHA1
daeb9f8a694834700b01dd59fafb7948f288c4e1

SHA256
ba13c41f8274d831167ce8e919a73082d584cd3712ccbb3c242d1c1a69033c50

SHA512
63405540c2dec09ed27a5b721efb2cbd33240a52eb5ea219e5c134140698ce0cff88537d9e9fecb4d463db31f4703373f9176684397aec8badb6705b5e24af7d

Download Submit
C:\Windows\SysWOW64\inpleqlxa.exe

Filesize
156KB

MD5
0893d226328a4c39bd926eaf9fb56a01

SHA1
daeb9f8a694834700b01dd59fafb7948f288c4e1

SHA256
ba13c41f8274d831167ce8e919a73082d584cd3712ccbb3c242d1c1a69033c50

SHA512
63405540c2dec09ed27a5b721efb2cbd33240a52eb5ea219e5c134140698ce0cff88537d9e9fecb4d463db31f4703373f9176684397aec8badb6705b5e24af7d

Download Submit
memory/524-135-0x0000000000000000-mapping.dmp

Download
memory/4964-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing