#1263853: Threats Win.Trojan.Gh0stRAT-6993126-0

Description: Win.Trojan.Gh0stRAT-6993126-0
Trojan
Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
First Aid: IOCs:

Registry Keys Occurrences
<HKCU>\Software\Microsoft\Windows Script Host\Settings 26
Mutexes Occurrences
guduyinan.gnway.net 6
127.0.0.1 2
soiufnrfjowieursmpwoeirfujaiurvnapoai39w45 2
y927.f3322.org 2
ddos-cc.vicp.cc 2
192.168.1.100 2
linchen1.3322.org 2
\BaseNamedObjects\linchen1.3322.org 2
119.98.51.129 1
115.28.32.138 1
203.156.199.11 1
q727446006.gicp.net 1
zy520.f3322.org 1
169.254.22.15 1
118.244.153.46 1
121.199.6.242 1
192.168.1.68 1
850967012.f3322.org 1
169.254.25.100 1
a678157.oicp.net 1
192.168.0.13 1
192.168.0.101 1
cfhx.f3322.org 1
xueyang22.gicp.net 1
\BaseNamedObjects\www.touzi1616.com 1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
118[.]5[.]49[.]6 2
197[.]4[.]4[.]12 2
115[.]28[.]40[.]12 2
49[.]2[.]123[.]56 2
118[.]244[.]185[.]113 2
116[.]255[.]131[.]145 2
174[.]128[.]255[.]245 1
189[.]163[.]17[.]5 1
54[.]76[.]135[.]1 1
188[.]5[.]4[.]96 1
61[.]142[.]176[.]23 1
27[.]9[.]199[.]217 1
110[.]251[.]189[.]65 1
114[.]239[.]19[.]101 1
222[.]186[.]27[.]216 1
115[.]28[.]44[.]116 1
123[.]131[.]15[.]109 1
120[.]9[.]228[.]6 1
119[.]98[.]51[.]129 1
101[.]16[.]198[.]98 1
203[.]156[.]199[.]11 1
115[.]28[.]32[.]138 1
169[.]254[.]22[.]15 1
121[.]199[.]6[.]242 1
118[.]244[.]153[.]46 1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
guduyinan[.]gnway[.]net 5
y927[.]f3322[.]org 2
ddos-cc[.]vicp[.]cc 2
linchen1[.]3322[.]org 2
xm974192128[.]3322[.]org 1
guduyinan[.]gnway[.]com 1
278267882[.]f3322[.]org 1
a3328657[.]f3322[.]org 1
www[.]touzi1616[.]com 1
jie0109[.]hackxd[.]net 1
zy520[.]f3322[.]org 1
q727446006[.]gicp[.]net 1
850967012[.]f3322[.]org 1
a678157[.]oicp[.]net 1
cfhx[.]f3322[.]org 1
xueyang22[.]gicp[.]net 1
Files and or directories created Occurrences
%TEMP%\jnbxmapdsg.vbs 1
%TEMP%\rlzocrfujx.vbs 1
%TEMP%\bvjkzncqf.vbs 1
%TEMP%\mxoejtdhe.vbs 1
%TEMP%\ofcspybli.vbs 1
%TEMP%\imopeshvj.vbs 1
%TEMP%\paybqnqnd.vbs 1
%TEMP%\ntvxzbqf.vbs 1
%TEMP%\rvxmapdsgv.vbs 1
%TEMP%\dkaqshjynd.vbs 1
%TEMP%\vbdsgvjy.vbs 1
%TEMP%\noqftiwlzo.vbs 1
%TEMP%\ovxncegixm.vbs 1
%TEMP%\qhxurnkcs.vbs 1
%TEMP%\eyaodrgujx.vbs 1
%TEMP%\zyvhdvlis.vbs 1
%TEMP%\zdrshixlao.vbs 1
%TEMP%\waoqethv.vbs 1
%TEMP%\ulabqeth.vbs 1
%TEMP%\othjxmapd.vbs 1
%TEMP%\zdeguvky.vbs 1
%TEMP%\gzgjxmoqeg.vbs 1
%TEMP%\fqwzqhkh.vbs 1
%TEMP%\ulabqrguix.vbs 1
%TEMP%\vrfxlaods.vbs 1
See JSON for more IOCs
File Hashes

0477c2b9ba7eecc8b0827400576860257e62a306a3e0c310eb84c537ec47e018
13287e727a2be4b6a3533e768b4babfd9191ec65002abcdf77c43e69278963be
1d7633311c1f671c60422a4d6723aa10a37e833e2d5df732f3988b3e379b2ee9
2a38fbbcef4bc83582ccd98c9bf96ff29e4c915d90802ec799420420f2cad6e6
2b19de056a388d0ee3672be895f4e446c42053034c68675585dd3fb54b8d1eb7
3821a10495fb4759fbab1ef7868eeb1e207ea6bf4211370f072b0215a14b46c8
3ae58dca3ce80c3ed4b65f610eee921dbeb3343619caace78c6afe21ec237f08
3d54f0fbd50f0b91f635a9ecc89ef8cb58c021bb60326b5fa2db75989d1bff5a
3fdd3b5333f7e526e80599add12fdeef663c59ad79ef4e714912043038377730
47c349433e77aefb18ea384f6ab4759f7bd49466f7a747255d19d4648fecc762
49752684078dfa74cd25adbbdc9bbf7a98e6f96f5355cd52b8b77738506673e7
4e5a282c7230242d090844875c9f5c432dc2c4bad3ba13fa2a7df86843785f75
53e08241abdfe3f13d6aa875642638d1badc6ec59cdb9757fe0fd598dc736927
57fc8d1737521cb0af37fcf70079603dc0eb5da1b3bbef9bad334dfe79176068
5ba20f4aaf94b4f418501ae977d1f6cf947accf8134c3b9487b42cdd65ef715b
5fab1a54d1338b2cb906aae3b2f5292d47445aae2af383c2a0e99b4ccf863262
60f6548844d59e59dc90a12fcb97396793c20687947a6eb5cc543debecf607d1
61caab6c70480cd6db4f33234cfc86467bff26c2e19b804211be8c822218a940
More info: https://blog.talosintelligence.com/2019/06/threat-roundup-0607-0614.html

Date added June 17, 2019, 10:58 a.m.
Source Talos
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - China - New Reports in
  • China - Gh0st RAT / Gh0strat / BKDR_GHOST /TROJ_GHOST / GhostNet / Gh0stNet APT