gh0strat | be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5

General

Target

be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5.exe
Size

132KB
MD5

78d516ecb552549f50e8be08ddd8082f
SHA1

352fae1916fd6a1985b35f4f9c03e9f89a2a7a3a
SHA256

be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5
SHA512

7610061c65a0f0440528ea734bbf73b4c39b9f7d02c88a5b56ee931628e3bde4433177a9a76d2aa6a845003e3b1f57eaed092119748aa71f994535e6654292b9
SSDEEP

768:Y8UZO58Pwg9EuwArwaeNWSMpGzlZ6PelsPnM2lpFX4nrKdc+7FDbNn:dSPcuFlnlGzlkDD1YKdcmdNn

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4340-3-0x0000000010000000-0x000000001000F000-memory.dmp	family_gh0strat
behavioral2/memory/848-13-0x0000000010000000-0x000000001000F000-memory.dmp	family_gh0strat
behavioral2/memory/2596-20-0x0000000010000000-0x000000001000F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Qaiqmq.com

Executes dropped EXE 2 IoCs

pid	Process
848	Qaiqmq.com
2596	Qaiqmq.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\Qaiqmq.com	be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5.exe
File opened for modification	C:\windows\Qaiqmq.com	be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Qaiqmq.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Qaiqmq.com

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Qaiqmq.com
Key created	\REGISTRY\USER\.DEFAULT\Software	Qaiqmq.com
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Qaiqmq.com
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Qaiqmq.com
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Qaiqmq.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2596	Qaiqmq.com
2596	Qaiqmq.com

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4340	be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5.exe
Token: 33	2596	Qaiqmq.com
Token: SeIncBasePriorityPrivilege	2596	Qaiqmq.com
Token: 33	2596	Qaiqmq.com
Token: SeIncBasePriorityPrivilege	2596	Qaiqmq.com

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 1988	4340	be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5.exe	92
PID 4340 wrote to memory of 1988	4340	be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5.exe	92
PID 4340 wrote to memory of 1988	4340	be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5.exe	92
PID 848 wrote to memory of 2596	848	Qaiqmq.com	93
PID 848 wrote to memory of 2596	848	Qaiqmq.com	93
PID 848 wrote to memory of 2596	848	Qaiqmq.com	93

C:\Users\Admin\AppData\Local\Temp\be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5.exe
"C:\Users\Admin\AppData\Local\Temp\be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BE267D~1.EXE > nul
  2⤵
  PID:1988

C:\windows\Qaiqmq.com
C:\windows\Qaiqmq.com -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848
- C:\windows\Qaiqmq.com
  C:\windows\Qaiqmq.com -acsi
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Qaiqmq.com

Filesize
132KB

MD5
78d516ecb552549f50e8be08ddd8082f

SHA1
352fae1916fd6a1985b35f4f9c03e9f89a2a7a3a

SHA256
be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5

SHA512
7610061c65a0f0440528ea734bbf73b4c39b9f7d02c88a5b56ee931628e3bde4433177a9a76d2aa6a845003e3b1f57eaed092119748aa71f994535e6654292b9

Download Submit
C:\Windows\Qaiqmq.com

Filesize
132KB

MD5
78d516ecb552549f50e8be08ddd8082f

SHA1
352fae1916fd6a1985b35f4f9c03e9f89a2a7a3a

SHA256
be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5

SHA512
7610061c65a0f0440528ea734bbf73b4c39b9f7d02c88a5b56ee931628e3bde4433177a9a76d2aa6a845003e3b1f57eaed092119748aa71f994535e6654292b9

Download Submit
C:\input.txt

Filesize
3B

MD5
470e7a4f017a5476afb7eeb3f8b96f9b

SHA1
d64ce8d6017f0d3ab6d528cf5dfd616ae05c32b4

SHA256
b6bc077d6675a7c8cc9e2fa5a08c86ba59b675d69af118052bb390c3cf11e5e0

SHA512
566b014c957c19cb81aab7776eaf614701dadc084aa73fd002301bc7277091c4269ce1223d16746df4e803b85171733b89fa34bb1c61830799dee3611c38e006

Download Submit
C:\windows\Qaiqmq.com

Filesize
132KB

MD5
78d516ecb552549f50e8be08ddd8082f

SHA1
352fae1916fd6a1985b35f4f9c03e9f89a2a7a3a

SHA256
be267dc8b9ef602375494ff229e3ba37d6d1e09f57abfc3ef3cb00afb94512b5

SHA512
7610061c65a0f0440528ea734bbf73b4c39b9f7d02c88a5b56ee931628e3bde4433177a9a76d2aa6a845003e3b1f57eaed092119748aa71f994535e6654292b9

Download Submit
memory/848-13-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2596-20-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4340-3-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing