Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05/03/2025, 10:02
General
-
Target
ef79e9f000bce03fe84bdd04c5240e3963755518e1d008caae787909c5a94978.exe
-
Size
191KB
-
MD5
82829247dbba2e55a4301cb183735df9
-
SHA1
28fbfa78ded6729f6a830ec9882c683356c53339
-
SHA256
ef79e9f000bce03fe84bdd04c5240e3963755518e1d008caae787909c5a94978
-
SHA512
2fa7a4738010bd4d155cb792cb5a6045d172f869d79f30a98559f70c2a5fb5f252619aa6432f9f858d7582735217fc5e3b42696f95132212bc843bc8b9c5cb1b
-
SSDEEP
3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkT:X2vnSwjaOcADw9cUeCOf
Malware Config
Extracted
gh0strat
107.163.241.193:6520
http://107.163.241.181:16300/
http://107.163.241.182:12354/login.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Signatures
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef79e9f000bce03fe84bdd04c5240e3963755518e1d008caae787909c5a94978.exe"C:\Users\Admin\AppData\Local\Temp\ef79e9f000bce03fe84bdd04c5240e3963755518e1d008caae787909c5a94978.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\qgepofutu.exe "C:\Users\Admin\AppData\Local\Temp\ef79e9f000bce03fe84bdd04c5240e3963755518e1d008caae787909c5a94978.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\qgepofutu.exeC:\Users\Admin\AppData\Local\Temp\\qgepofutu.exe "C:\Users\Admin\AppData\Local\Temp\ef79e9f000bce03fe84bdd04c5240e3963755518e1d008caae787909c5a94978.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\Program Files\blmtf\aeykatdiw.exe"c:\Program Files\blmtf\aeykatdiw.exe" "c:\Program Files\blmtf\aeykatdiw.dll",Compliance C:\Users\Admin\AppData\Local\Temp\qgepofutu.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD5d477ba658fbbf8f70ad3020515c5bd0d
SHA11bb9a2238415f1a3fdaa63237fd18845aae93f95
SHA2566ac99e3745fc9b6817c9fa85d93f4811573ef70a18dec467e5138e828f890859
SHA512eace4f626db0566f5f1b1157f6c039295e753324e3540f9672bfe2b00cc1d1619d94a9556e57741443aa7f9c3643e7978e053c91f0f9a91b00f0af633c77059b
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
191KB
MD56155638dc3ea923def4a27b979e58a7f
SHA1ea848f24c65ee3236cd614b6b8fb1a507cb00c4f
SHA256468bed5cf6c6cb841e246484481b5ec60d2ac3c5a34d18f63f5b430caaccc02d
SHA5127f7cb33886c6c8664cc31efeaae7bf85f40b4e95596789a48f2183a0b0580f7b30f204835ca16442afbf0c2483b67acdeb727e7e9f8d6efa719f97a7c4bb76ed
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB