gh0strat | bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681

General

Target

bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe
Size

156KB
MD5

4992dec477a30734ebc80fa7dd2a32b7
SHA1

f74d8acc8f43ff457228641f9853ffeb571d2133
SHA256

bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681
SHA512

38973053b4a82b7ac7cd208f0b2abd39f1fc300ddca223a281eb5e92992d37441ce90970d545ee5eb49f874d8624426247f451898495860c5668a30decf60134
SSDEEP

3072:dVZd5rnmoWOQrkdJv5hMFULTvtcMk8Lyji8lkivl05KBi+ITqn:dXd5rmoWOQsJRG4GMkSQi8Tvl05KBDIk

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-57.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-59.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-60.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-61.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-62.dat	family_gh0strat
behavioral1/files/0x000900000001230d-65.dat	family_gh0strat
behavioral1/files/0x000900000001230d-66.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1072	inpbwqegf.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{nhgoiqpf-pdig-mqlr-ccgn-tvdirgfvnljn}	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{nhgoiqpf-pdig-mqlr-ccgn-tvdirgfvnljn}\ = "ÏµÍ³ÉèÖÃ"	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{nhgoiqpf-pdig-mqlr-ccgn-tvdirgfvnljn}\stubpath = "C:\\Windows\\System32\\inpbwqegf.exe"	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe

Loads dropped DLL 5 IoCs

pid	Process
1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe
1072	inpbwqegf.exe
1072	inpbwqegf.exe
1072	inpbwqegf.exe
2036	userinit.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inpbwqegf.exe	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe
File created	C:\Windows\SysWOW64\inpbwqegf.exe_lang.ini	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe
File opened for modification	C:\Windows\SysWOW64\inpbwqegf.exe_lang.ini	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe
1072	inpbwqegf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe
Token: SeDebugPrivilege	1072	inpbwqegf.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1072	1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe	27
PID 1900 wrote to memory of 1072	1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe	27
PID 1900 wrote to memory of 1072	1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe	27
PID 1900 wrote to memory of 1072	1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe	27
PID 1900 wrote to memory of 1072	1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe	27
PID 1900 wrote to memory of 1072	1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe	27
PID 1900 wrote to memory of 1072	1900	bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe	27
PID 1072 wrote to memory of 2036	1072	inpbwqegf.exe	28
PID 1072 wrote to memory of 2036	1072	inpbwqegf.exe	28
PID 1072 wrote to memory of 2036	1072	inpbwqegf.exe	28
PID 1072 wrote to memory of 2036	1072	inpbwqegf.exe	28
PID 1072 wrote to memory of 2036	1072	inpbwqegf.exe	28
PID 1072 wrote to memory of 2036	1072	inpbwqegf.exe	28
PID 1072 wrote to memory of 2036	1072	inpbwqegf.exe	28
PID 1072 wrote to memory of 2036	1072	inpbwqegf.exe	28

C:\Users\Admin\AppData\Local\Temp\bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe
"C:\Users\Admin\AppData\Local\Temp\bfe077726c6dff816bcb3d38cd092563c895ae5eb5400209a842d2810f055681.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\inpbwqegf.exe
  C:\Windows\System32\inpbwqegf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\userinit.exe
    userinit.exe
    3⤵
    - Loads dropped DLL
    PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7085113_lang.dll

Filesize
114KB

MD5
7182dadfb0708df9269a71ae7fc6cb9b

SHA1
c68aa2ac9a20e0ab212477b515025e851c18fa39

SHA256
dd26b3c40c8fdb287c5f697e6f3a5348caaec8377592725d7611773834397d54

SHA512
de0c5a26ab59bfea196c3859fd5a4d14f211d976beafc8e33467145a5475b828f8859a6a4cfbc23b418c5ea6414ca1bd64e0fbd7e31ac4db1ea98ab63e163e06

Download Submit
C:\Windows\SysWOW64\inpbwqegf.exe

Filesize
156KB

MD5
2659bf0311c875dd9c4b03e3c6e4068e

SHA1
c843c15d303ca95a027af961722f4c30dd8dc58d

SHA256
d5ea8791d11efc3e7706a780beb63e7009ee5c6726699389d15ac3fd87f82d0d

SHA512
6babba25f4edb4144998dc796a99ab88912fc129b01d3a58e8e1b05ac2dd11737d7695bb77b476b95e79efb9debc2d891aba018d94970c4162cdc48cd76dc102

Download Submit
C:\Windows\SysWOW64\inpbwqegf.exe

Filesize
156KB

MD5
2659bf0311c875dd9c4b03e3c6e4068e

SHA1
c843c15d303ca95a027af961722f4c30dd8dc58d

SHA256
d5ea8791d11efc3e7706a780beb63e7009ee5c6726699389d15ac3fd87f82d0d

SHA512
6babba25f4edb4144998dc796a99ab88912fc129b01d3a58e8e1b05ac2dd11737d7695bb77b476b95e79efb9debc2d891aba018d94970c4162cdc48cd76dc102

Download Submit
\Users\Admin\AppData\Local\Temp\7085113_lang.dll

Filesize
114KB

MD5
7182dadfb0708df9269a71ae7fc6cb9b

SHA1
c68aa2ac9a20e0ab212477b515025e851c18fa39

SHA256
dd26b3c40c8fdb287c5f697e6f3a5348caaec8377592725d7611773834397d54

SHA512
de0c5a26ab59bfea196c3859fd5a4d14f211d976beafc8e33467145a5475b828f8859a6a4cfbc23b418c5ea6414ca1bd64e0fbd7e31ac4db1ea98ab63e163e06

Download Submit
\Windows\SysWOW64\inpbwqegf.exe

Filesize
156KB

MD5
2659bf0311c875dd9c4b03e3c6e4068e

SHA1
c843c15d303ca95a027af961722f4c30dd8dc58d

SHA256
d5ea8791d11efc3e7706a780beb63e7009ee5c6726699389d15ac3fd87f82d0d

SHA512
6babba25f4edb4144998dc796a99ab88912fc129b01d3a58e8e1b05ac2dd11737d7695bb77b476b95e79efb9debc2d891aba018d94970c4162cdc48cd76dc102

Download Submit
\Windows\SysWOW64\inpbwqegf.exe

Filesize
156KB

MD5
2659bf0311c875dd9c4b03e3c6e4068e

SHA1
c843c15d303ca95a027af961722f4c30dd8dc58d

SHA256
d5ea8791d11efc3e7706a780beb63e7009ee5c6726699389d15ac3fd87f82d0d

SHA512
6babba25f4edb4144998dc796a99ab88912fc129b01d3a58e8e1b05ac2dd11737d7695bb77b476b95e79efb9debc2d891aba018d94970c4162cdc48cd76dc102

Download Submit
\Windows\SysWOW64\inpbwqegf.exe

Filesize
156KB

MD5
2659bf0311c875dd9c4b03e3c6e4068e

SHA1
c843c15d303ca95a027af961722f4c30dd8dc58d

SHA256
d5ea8791d11efc3e7706a780beb63e7009ee5c6726699389d15ac3fd87f82d0d

SHA512
6babba25f4edb4144998dc796a99ab88912fc129b01d3a58e8e1b05ac2dd11737d7695bb77b476b95e79efb9debc2d891aba018d94970c4162cdc48cd76dc102

Download Submit
\Windows\SysWOW64\inpbwqegf.exe

Filesize
156KB

MD5
2659bf0311c875dd9c4b03e3c6e4068e

SHA1
c843c15d303ca95a027af961722f4c30dd8dc58d

SHA256
d5ea8791d11efc3e7706a780beb63e7009ee5c6726699389d15ac3fd87f82d0d

SHA512
6babba25f4edb4144998dc796a99ab88912fc129b01d3a58e8e1b05ac2dd11737d7695bb77b476b95e79efb9debc2d891aba018d94970c4162cdc48cd76dc102

Download Submit
memory/1900-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing