Blogs

GhostRat Malware

By camilla.ahlquist posted Feb 04, 2026 11:00 AM

  

Threat Intelligence Report Malware Family: GhostRat

Executive Summary

GhostRat is a sophisticated Remote Access Trojan (RAT) known for its stealth, persistence, and modular architecture. The analyzed sample  demonstrates advanced capabilities including process injection, credential harvesting, system reconnaissance, and encrypted command-and-control (C2) communication. The malware employs multiple evasion techniques and leverages legitimate tools such as PowerShell and Node.js to maintain persistence and avoid detection.

Technical Analysis

1. Initial Infection Vector

·       The sample is a PE32 executable, signed by SOFTWARE CODERS LIMITED using a valid Sectigo EV certificate.

·       Likely delivered via phishing email or malicious download, masquerading as a legitimate installer (Nullsoft self-extracting archive).

2. Process and Execution Flow

·       Primary Execution: Launches dfdVgIkAsj.exe with elevated privileges.

·       Child Processes Spawned:

o   cmd.exe, powershell.exe, node.exe, wscript.exe, schtasks.exe, taskkill.exe, tasklist.exe, auditpol.exe.

·       Suspended Process Creation: Indicates process injection (MITRE T1055).

·       VBScript Execution: Used for stealthy persistence (MITRE T1064).

3. File System Activity

·       Dropped Files:

o   Executables: node.exe, uninstall.exe, nsExec.dll.

o   Scripts: nodeupdate.vbs, main.js.

o   Configs: bs-list.json, e-user.json, ex-list2.json.

o   Assets: Fonts, SVGs, PNGs, CSS files.

·       Masquerading: Files with mismatched extensions (MITRE T1036).

·       Temporary File Usage: For payload staging and cleanup.

4. Registry and System Modifications

·       Registry Keys Accessed:

o   Session Manager, AppCompatFlags, Shell Folders, MountPoints2.

·       Audit Policy Changes:

o   Via auditpol.exe, enabling success auditing for system categories.

·       Windows Defender Evasion:

o   Adds exclusion for its own executable:Add-MpPreference -ExclusionPath "dfdVgIkAsj.exe" -Force

o   Disables sample submission:Set-MpPreference -SubmitSamplesConsent NeverSend

5. Persistence Mechanisms

·       Scheduled Tasks:

o   NodeUpdate, EdgeUpdate, EdgeUpdateTaskUser.

o   Executed at logon with highest privileges (MITRE T1053).

·       Script-Based Launchers:

o   VBScript and Node.js used for modular execution.

6. Network Communication

·       DNS Queries:

o   api-torrent.com, s2.api-torrent.ru.

·       C2 Communication:

o   Encrypted traffic over port 443 to IP 93.88.75.139 (Bulgaria).

·       Protocol Usage:

o   TLS 1.0, SSL 3.0, and unknown versions (MITRE T1071, T1095).

·       Payload Exchange:

o   Bidirectional data flow, suggesting active C2 and exfiltration.

7. Credential and Data Theft

·       Targeted Data:

o   Browser history, passwords, preferences from Chrome and Edge.

·       Credential Dumping:

o   Access to secure preferences and autofill data (MITRE T1003).

·       System Reconnaissance:

o   Queries for volume info, OS details, language settings (MITRE T1082).

8. Evasion Techniques

·       Sandbox Detection:

o   Sleep manipulation (≥30s reduced to 1ms).

o   Checks for virtualized environments.

·       Anti-Debugging:

o   Uses SetErrorMode to suppress error dialogs.

·       Security Software Targeting:

o   Terminates MsMpEng.exe, msedge.exe via taskkill.exe.

9. MITRE ATT&CK Mapping

Technique ID

Name

T1036

Masquerading

T1055

Process Injection

T1053

Scheduled Task/Job

T1064

Scripting

T1082

System Information Discovery

T1003

Credential Dumping

T1071/T1095

Application/Non-App Protocols

T1497

Virtualization/Sandbox Evasion

T1562.001

Disable or Modify Tools

Indicators of Compromise (IOCs)

File Hashes

·       MD5: 981A4A3294EA586F9989472A9DA92035

·       SHA256: 1116cde0e65118fb9f714440b0776f9bee7589f080113bea4da636b5b3811231

Domains

·       api-torrent.com

·       s2.api-torrent.ru

IP Addresses

·       93.88.75.139

·       192.168.2.1 (internal)

Processes

·       dfdVgIkAsj.exe, node.exe, cmd.exe, powershell.exe, wscript.exe, schtasks.exe

Recommendations

·       Immediate Actions:

o   Block outbound traffic to 93.88.75.139.

o   Remove scheduled tasks named NodeUpdate, EdgeUpdate.

o   Re-enable Windows Defender protections and audit policies.

·       Detection Rules:

o   Monitor for PowerShell commands modifying MpPreference.

o   Alert on process creation in suspended mode.

o   Flag DNS queries to known malicious domains.

·       Long-Term Mitigation:

o   Implement application whitelisting.

o   Use endpoint detection and response (EDR) tools.

o   Conduct full forensic analysis of affected systems.

Conclusion

GhostRat continues to evolve with stealthy persistence mechanisms, encrypted C2 channels, and modular payload delivery. The analyzed sample demonstrates a high level of sophistication, leveraging legitimate tools and system features to evade detection and maintain control. Organizations should update detection signatures, monitor for IOCs, and educate users on phishing and suspicious downloads.


#Juniper
0 comments
5 views

Related Content

Permalink

https://airheads.hpe.com/blogs/camillaahlquist/2026/01/28/ghostrat-malware