Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
02/03/2025, 07:05
General
-
Target
e96f5bcd69a3eae5fc82882825e06dd89c4da8aa8ec6ab0e4b9bafe524c947cb.exe
-
Size
208KB
-
MD5
cec1afbf2bbdacebd7a86f13b3435263
-
SHA1
a87e805f9e4bd8b988dac76f9aae23e7b3ebdba9
-
SHA256
e96f5bcd69a3eae5fc82882825e06dd89c4da8aa8ec6ab0e4b9bafe524c947cb
-
SHA512
e313f0377694931262d609de95a45f945d91b9ea8d5e82b6ff33284e9dbe8723b8cc9b016d1ea70a683315aa705b0f7d6fe2c304b43204bd02f95d6a059cf060
-
SSDEEP
3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkTF:X2vnSwjaOcADw9cUeCOf
Malware Config
Extracted
gh0strat
107.163.241.193:6520
http://107.163.241.181:16300/
http://107.163.241.182:12354/login.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Signatures
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e96f5bcd69a3eae5fc82882825e06dd89c4da8aa8ec6ab0e4b9bafe524c947cb.exe"C:\Users\Admin\AppData\Local\Temp\e96f5bcd69a3eae5fc82882825e06dd89c4da8aa8ec6ab0e4b9bafe524c947cb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\mfhlfq.exe "C:\Users\Admin\AppData\Local\Temp\e96f5bcd69a3eae5fc82882825e06dd89c4da8aa8ec6ab0e4b9bafe524c947cb.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\mfhlfq.exeC:\Users\Admin\AppData\Local\Temp\\mfhlfq.exe "C:\Users\Admin\AppData\Local\Temp\e96f5bcd69a3eae5fc82882825e06dd89c4da8aa8ec6ab0e4b9bafe524c947cb.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\Program Files\zaefmtzrt\bwjfexp.exe"c:\Program Files\zaefmtzrt\bwjfexp.exe" "c:\Program Files\zaefmtzrt\bwjfexp.dll",Compliance C:\Users\Admin\AppData\Local\Temp\mfhlfq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
208KB
MD58abb84cfbc3867c061dc3306e718e070
SHA120a59a5fc48bbd7241702cd2df5e8c409dc29662
SHA25693f5babe99fd5ea65f3ce3b9b831a19dfdda0b4567ea4781bba8a4e9182c6fca
SHA51214a8fc158140abd4060dd115357f33b95614b2ccc755875e2c06bfc018cb7e20e9f422639b68d97d8d21a3853b6fd7ba3539b0baaeb03ac4467a4f812093274e
-
Filesize
141KB
MD5a9ef663588fc3e6834fb6cc9883d9d61
SHA1f80e357307af5cca51b9faa70851b3644690730b
SHA2563da42054db0883f7ea5c50cbcb8e39d5416e5f10ac8e13199eb1c4857a943ccb
SHA512372e4e726a751454620098f44f60ffce715ef11eab57bebc09e6bdac4b366619c17388f0a4093a28ef63b6d0d739c642e5f74182becaf8c56bbd228a4c5098f0
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB