gh0strat | 8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff

General

Target

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
Size

725KB
MD5

a7c949ddd028f01f2a0ed3f282da4301
SHA1

6d109cf2cdf680308a351c8452b04778841cef79
SHA256

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff
SHA512

6ddcd3ffa5cb47cc2976f7b9c5275724e55c0a58dfb3929384b34cc3fa73e01f158b5e65c89276895eee3fbd2e95502f4794ba67f9d1c07f9b17179ce32f856a
SSDEEP

12288:QYV2TIO4zmHlccqhILjmZLBr8tVWBr3ts1E:B209mHycNSLBx8

Score

10^/10

gh0strat persistence rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1512-55-0x0000000000400000-0x0000000000562000-memory.dmp	family_gh0strat
behavioral1/memory/1512-61-0x0000000000400000-0x0000000000562000-memory.dmp	family_gh0strat
behavioral1/memory/1172-66-0x0000000000400000-0x0000000000562000-memory.dmp	family_gh0strat
behavioral1/memory/1172-69-0x0000000000400000-0x0000000000562000-memory.dmp	family_gh0strat
\Users\Admin\AppData\Local\Temp\7129089_lang.dll	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

inaphxbit.exe

pid process

1172 inaphxbit.exe

pid	process
1172	inaphxbit.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{b4mkzqao-miav-rboc-93au-ioeg6c1gunuj}	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{b4mkzqao-miav-rboc-93au-ioeg6c1gunuj}\stubpath = "C:\\Windows\\system32\\inaphxbit.exe"	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1512-55-0x0000000000400000-0x0000000000562000-memory.dmp	vmprotect
\Windows\SysWOW64\inaphxbit.exe	vmprotect
C:\Windows\SysWOW64\inaphxbit.exe	vmprotect
behavioral1/memory/1512-61-0x0000000000400000-0x0000000000562000-memory.dmp	vmprotect
\Windows\SysWOW64\inaphxbit.exe	vmprotect
\Windows\SysWOW64\inaphxbit.exe	vmprotect
\Windows\SysWOW64\inaphxbit.exe	vmprotect
C:\Windows\SysWOW64\inaphxbit.exe	vmprotect
behavioral1/memory/1172-66-0x0000000000400000-0x0000000000562000-memory.dmp	vmprotect
behavioral1/memory/1172-69-0x0000000000400000-0x0000000000562000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

inaphxbit.exe

pid process

1172 inaphxbit.exe

pid	process
1172	inaphxbit.exe

Loads dropped DLL 5 IoCs

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exeinaphxbit.exe

pid	process
1512	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
1172	inaphxbit.exe
1172	inaphxbit.exe
1172	inaphxbit.exe
1172	inaphxbit.exe

Drops file in System32 directory 3 IoCs

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

description	ioc	process
File created	C:\Windows\SysWOW64\inaphxbit.exe	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
File created	C:\Windows\SysWOW64\syslog.dat	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
File opened for modification	C:\Windows\SysWOW64\inaphxbit.exe_lang.ini	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exeinaphxbit.exe

pid process

1512 8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
1172 inaphxbit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exeinaphxbit.exe

description pid process

Token: 85899345940 1512 8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
Token: 85899345940 1172 inaphxbit.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

inaphxbit.exe

pid process

1172 inaphxbit.exe

description	pid	process
Token: 85899345940	1512	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
Token: 85899345940	1172	inaphxbit.exe

pid	process
1172	inaphxbit.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

description	pid	process	target process
PID 1512 wrote to memory of 1172	1512	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inaphxbit.exe
PID 1512 wrote to memory of 1172	1512	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inaphxbit.exe
PID 1512 wrote to memory of 1172	1512	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inaphxbit.exe
PID 1512 wrote to memory of 1172	1512	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inaphxbit.exe
PID 1512 wrote to memory of 1172	1512	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inaphxbit.exe
PID 1512 wrote to memory of 1172	1512	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inaphxbit.exe
PID 1512 wrote to memory of 1172	1512	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inaphxbit.exe

C:\Users\Admin\AppData\Local\Temp\8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
"C:\Users\Admin\AppData\Local\Temp\8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\inaphxbit.exe
C:\Windows\system32\inaphxbit.exe ZhuDongdelC:\Users\Admin\AppData\Local\Temp\8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\inaphxbit.exe
Filesize
725KB

MD5
148218d0916c541ba03b62cd2a74c035

SHA1
ee96188fd3e774c095e0d14f8e7723cef6ad14d7

SHA256
8f25199bb5b74c80ae9d162668ffd5837d3fa6d2778a73a5d230947fe2bbeb61

SHA512
0b73ba95a5b0bb5ce19642fb02e6e16db2f4728298b9edc2675ef68d41b00893f8b7413cf7fd22586b16f5e80240b674773e1d6c8f74a92a194374e6a2f0a5ab

Download Submit
C:\Windows\SysWOW64\inaphxbit.exe
Filesize
725KB

MD5
148218d0916c541ba03b62cd2a74c035

SHA1
ee96188fd3e774c095e0d14f8e7723cef6ad14d7

SHA256
8f25199bb5b74c80ae9d162668ffd5837d3fa6d2778a73a5d230947fe2bbeb61

SHA512
0b73ba95a5b0bb5ce19642fb02e6e16db2f4728298b9edc2675ef68d41b00893f8b7413cf7fd22586b16f5e80240b674773e1d6c8f74a92a194374e6a2f0a5ab

Download Submit
\Users\Admin\AppData\Local\Temp\7129089_lang.dll
Filesize
119KB

MD5
16301d24447ff238700943e507d78fdd

SHA1
68eb2885ad9d0014a49bb1c28a3d9fbfa623d25d

SHA256
d9ffff3b6d8b6cff48fcf73af3ac42e213931cea4c5039bc08fef43bc3c92e19

SHA512
8a8dc0cb39da6716bf8565b8b42387cac509e1043aaa3e80911f9c96033ffaaa12a8f93bdac28867ef7b10866f70061b5d7b921c5ba4c801dfe4751c092bd758

Download Submit
\Windows\SysWOW64\inaphxbit.exe
Filesize
725KB

MD5
148218d0916c541ba03b62cd2a74c035

SHA1
ee96188fd3e774c095e0d14f8e7723cef6ad14d7

SHA256
8f25199bb5b74c80ae9d162668ffd5837d3fa6d2778a73a5d230947fe2bbeb61

SHA512
0b73ba95a5b0bb5ce19642fb02e6e16db2f4728298b9edc2675ef68d41b00893f8b7413cf7fd22586b16f5e80240b674773e1d6c8f74a92a194374e6a2f0a5ab

Download Submit
\Windows\SysWOW64\inaphxbit.exe
Filesize
725KB

MD5
148218d0916c541ba03b62cd2a74c035

SHA1
ee96188fd3e774c095e0d14f8e7723cef6ad14d7

SHA256
8f25199bb5b74c80ae9d162668ffd5837d3fa6d2778a73a5d230947fe2bbeb61

SHA512
0b73ba95a5b0bb5ce19642fb02e6e16db2f4728298b9edc2675ef68d41b00893f8b7413cf7fd22586b16f5e80240b674773e1d6c8f74a92a194374e6a2f0a5ab

Download Submit
\Windows\SysWOW64\inaphxbit.exe
Filesize
725KB

MD5
148218d0916c541ba03b62cd2a74c035

SHA1
ee96188fd3e774c095e0d14f8e7723cef6ad14d7

SHA256
8f25199bb5b74c80ae9d162668ffd5837d3fa6d2778a73a5d230947fe2bbeb61

SHA512
0b73ba95a5b0bb5ce19642fb02e6e16db2f4728298b9edc2675ef68d41b00893f8b7413cf7fd22586b16f5e80240b674773e1d6c8f74a92a194374e6a2f0a5ab

Download Submit
\Windows\SysWOW64\inaphxbit.exe
Filesize
725KB

MD5
148218d0916c541ba03b62cd2a74c035

SHA1
ee96188fd3e774c095e0d14f8e7723cef6ad14d7

SHA256
8f25199bb5b74c80ae9d162668ffd5837d3fa6d2778a73a5d230947fe2bbeb61

SHA512
0b73ba95a5b0bb5ce19642fb02e6e16db2f4728298b9edc2675ef68d41b00893f8b7413cf7fd22586b16f5e80240b674773e1d6c8f74a92a194374e6a2f0a5ab

Download Submit
memory/1172-58-0x0000000000000000-mapping.dmp

Download
memory/1172-68-0x0000000000BC0000-0x0000000000D22000-memory.dmp

Filesize
1.4MB

Download
memory/1172-66-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/1172-69-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/1512-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1512-61-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/1512-55-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads