gh0strat | 8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff

General

Target

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
Size

725KB
MD5

a7c949ddd028f01f2a0ed3f282da4301
SHA1

6d109cf2cdf680308a351c8452b04778841cef79
SHA256

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff
SHA512

6ddcd3ffa5cb47cc2976f7b9c5275724e55c0a58dfb3929384b34cc3fa73e01f158b5e65c89276895eee3fbd2e95502f4794ba67f9d1c07f9b17179ce32f856a
SSDEEP

12288:QYV2TIO4zmHlccqhILjmZLBr8tVWBr3ts1E:B209mHycNSLBx8

Score

10^/10

gh0strat persistence rat vmprotect

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2068-132-0x0000000000400000-0x0000000000562000-memory.dmp	family_gh0strat
behavioral2/memory/2068-137-0x0000000000400000-0x0000000000562000-memory.dmp	family_gh0strat
behavioral2/memory/5084-138-0x0000000000400000-0x0000000000562000-memory.dmp	family_gh0strat
behavioral2/memory/5084-140-0x0000000000400000-0x0000000000562000-memory.dmp	family_gh0strat
C:\Users\Admin\AppData\Local\Temp\240591109_lang.dll	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 1 IoCs

Processes:

inzkcszdo.exe

pid process

5084 inzkcszdo.exe

pid	process
5084	inzkcszdo.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{hwfuylj2-d3bm-7n84-ndj2-1vx72bpji2ey}	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{hwfuylj2-d3bm-7n84-ndj2-1vx72bpji2ey}\stubpath = "C:\\Windows\\system32\\inzkcszdo.exe"	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2068-132-0x0000000000400000-0x0000000000562000-memory.dmp	vmprotect
C:\Windows\SysWOW64\inzkcszdo.exe	vmprotect
behavioral2/memory/2068-137-0x0000000000400000-0x0000000000562000-memory.dmp	vmprotect
C:\Windows\SysWOW64\inzkcszdo.exe	vmprotect
behavioral2/memory/5084-138-0x0000000000400000-0x0000000000562000-memory.dmp	vmprotect
behavioral2/memory/5084-140-0x0000000000400000-0x0000000000562000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

inzkcszdo.exe

pid process

5084 inzkcszdo.exe

pid	process
5084	inzkcszdo.exe

Drops file in System32 directory 3 IoCs

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\inzkcszdo.exe_lang.ini	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
File created	C:\Windows\SysWOW64\inzkcszdo.exe	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
File created	C:\Windows\SysWOW64\syslog.dat	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exeinzkcszdo.exe

pid	process
2068	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
2068	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
5084	inzkcszdo.exe
5084	inzkcszdo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exeinzkcszdo.exe

description pid process

Token: 85899345940 2068 8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
Token: 85899345940 5084 inzkcszdo.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

inzkcszdo.exe

pid process

5084 inzkcszdo.exe

description	pid	process
Token: 85899345940	2068	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
Token: 85899345940	5084	inzkcszdo.exe

pid	process
5084	inzkcszdo.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe

description	pid	process	target process
PID 2068 wrote to memory of 5084	2068	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inzkcszdo.exe
PID 2068 wrote to memory of 5084	2068	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inzkcszdo.exe
PID 2068 wrote to memory of 5084	2068	8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe	inzkcszdo.exe

C:\Users\Admin\AppData\Local\Temp\8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
"C:\Users\Admin\AppData\Local\Temp\8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\inzkcszdo.exe
C:\Windows\system32\inzkcszdo.exe ZhuDongdelC:\Users\Admin\AppData\Local\Temp\8de105771e5779ae9121f7cad873cdbf4df9dc5c609d81b121239b9271c007ff.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240591109_lang.dll
Filesize
119KB

MD5
1caeb438be2a702eb8338c2617db8bbc

SHA1
ca58249e907410108dba82b832ceb8145ec81e09

SHA256
eb9c569a935ab4ba383c7129bb2212e9440ebe7e4dbcc7e7edaa573f99376847

SHA512
e633d17a347aa676724e2516252c48c8527857ab9fa4927bc7181a863d7889fe4946e27ddb002ee8ddc4374bc828938e27a09dbda573493290b0b2f2ca27f988

Download Submit
C:\Windows\SysWOW64\inzkcszdo.exe
Filesize
725KB

MD5
ff506a1a09d50ad5bc9a3dee42ea1c01

SHA1
cdceabbdf1d98c4a974a8b28fab06d1df2273327

SHA256
0b5cd76f8acd374ea1721a1b04a213cf63e4e67e97e88678bf3c387d8a300964

SHA512
75df94714679e3a9618881bf1882d6bedb687d5673badea4f7f0188b5028a2d9d99f907112d55cdcc28a957bc5661ff1163359938581850bd3b7ac08473a07d4

Download Submit
C:\Windows\SysWOW64\inzkcszdo.exe
Filesize
725KB

MD5
ff506a1a09d50ad5bc9a3dee42ea1c01

SHA1
cdceabbdf1d98c4a974a8b28fab06d1df2273327

SHA256
0b5cd76f8acd374ea1721a1b04a213cf63e4e67e97e88678bf3c387d8a300964

SHA512
75df94714679e3a9618881bf1882d6bedb687d5673badea4f7f0188b5028a2d9d99f907112d55cdcc28a957bc5661ff1163359938581850bd3b7ac08473a07d4

Download Submit
memory/2068-132-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/2068-137-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/5084-134-0x0000000000000000-mapping.dmp

Download
memory/5084-138-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/5084-140-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads