gh0strat | ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b

General

Target

ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe
Size

2.9MB
MD5

1721a0dee62051d27efc1c1f5cccb9a6
SHA1

21fbf18b5d5214804060fe640063f2d9ac6d7c1d
SHA256

ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b
SHA512

059069eb514027dda7e66bcbee0332a3d14e5ec6c4cdac9e4c316f9ac4bc85a310ba79785fc055e4183df9b132b7ddc70ee0fd1c0694cbafc1dfea246d923678
SSDEEP

24576:shoNlPUcdbMZMvTV2GlSpbRrSnYPVtrklEAve9GKoqW:tNlPUuLoD8kd/ZoqW

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/4804-140-0x00000000021F0000-0x0000000002286000-memory.dmp	family_gh0strat
behavioral2/memory/4804-141-0x0000000010000000-0x000000001007B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
4804	HWBoxDockLaunch.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe

Loads dropped DLL 1 IoCs

pid	Process
4804	HWBoxDockLaunch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4492	4308	WerFault.exe	79

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4308	ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe
4308	ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4804	4308	ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe	83
PID 4308 wrote to memory of 4804	4308	ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe	83
PID 4308 wrote to memory of 4804	4308	ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe	83

C:\Users\Admin\AppData\Local\Temp\ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe
"C:\Users\Admin\AppData\Local\Temp\ecb2c62b1593b4d19b1d34d87310c7a9c001e7ff96d5c2b8ca509f3001db810b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Public\AppUpdate\HWBoxDockLaunch.exe
  "C:\Users\Public\AppUpdate\HWBoxDockLaunch.exe" u C:\Users\Public\Mdfgfx.lzo -u- -up0q3x2z0!C:\Users\\Public\ddajDI.lzo * -r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 1300
  2⤵
  - Program crash
  PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4308 -ip 4308
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\AppUpdate\7z.dll

Filesize
63KB

MD5
c3d4fd8facb57e2e9aee6be7fcf9f149

SHA1
393d0fc732c6f9b27ae5abc10d31b402a2410958

SHA256
e370d450158a26c257e0c10af58b8e0696ec87ddef137c22ceb3a26c66efe67b

SHA512
7af34e4b3e7f27bac265243072542be576ae558ede86a36291ab05a178ff20ffca36e8b86dac026f4149fdf174e77919fe313fcd542b0638d2047f2d7024b751

Download Submit
C:\Users\Public\AppUpdate\7z.dll

Filesize
63KB

MD5
c3d4fd8facb57e2e9aee6be7fcf9f149

SHA1
393d0fc732c6f9b27ae5abc10d31b402a2410958

SHA256
e370d450158a26c257e0c10af58b8e0696ec87ddef137c22ceb3a26c66efe67b

SHA512
7af34e4b3e7f27bac265243072542be576ae558ede86a36291ab05a178ff20ffca36e8b86dac026f4149fdf174e77919fe313fcd542b0638d2047f2d7024b751

Download Submit
C:\Users\Public\AppUpdate\HWBoxDockLaunch.exe

Filesize
179KB

MD5
978ffc5488337fa1a3c1f3e67da60827

SHA1
c5a9118a7c2194f47d61dd38b72c5b9dd276bc7b

SHA256
9f99da4896da25cddd506b96a6a62789b4b1832044285663916cbfb34cd9848c

SHA512
50e4a559bd64333a05297448be899b092caf8f63545208b8524ce5eaca8a30f2bd9b8257036d712ca67d114f4d689dd1580276024a8eccf3015d8aa7dcf238fe

Download Submit
C:\Users\Public\AppUpdate\HWBoxDockLaunch.exe

Filesize
179KB

MD5
978ffc5488337fa1a3c1f3e67da60827

SHA1
c5a9118a7c2194f47d61dd38b72c5b9dd276bc7b

SHA256
9f99da4896da25cddd506b96a6a62789b4b1832044285663916cbfb34cd9848c

SHA512
50e4a559bd64333a05297448be899b092caf8f63545208b8524ce5eaca8a30f2bd9b8257036d712ca67d114f4d689dd1580276024a8eccf3015d8aa7dcf238fe

Download Submit
C:\Users\Public\AppUpdate\idmmzcc3.xpi

Filesize
576KB

MD5
3df4992014558abf910cf437e6a15c54

SHA1
45a63b0d40cb7f90355a62c1e178d27f23a51e18

SHA256
389018f193e572a4f7c56a6e5abf05fd51935977751c5feee9d0d17821087957

SHA512
b81dff8de5da416b85f0778af83637e790b0075631231e9ef32784cd0b33653c229c01505bbccf89879374a928c57e8a8136577f69d25631ffe1e77e3bcdecfd

Download Submit
C:\Users\Public\AppUpdate\task.dat

Filesize
159B

MD5
3572a3c8f0c31b7bc81e8f8afe4a5db2

SHA1
7bd3b0f22e0388efc3e8ffca8b13e29b30ef3238

SHA256
5b96a46f8a43c3338b9c952bbb981eba1b1fca11172e4d4b8fe349509507634d

SHA512
2c1ab76ad9d3d46bb9cb5d3af8e8258e30ad50801c24af1cc3f6b87ba6961fad7bdec002d6b489b31a52a677590be3e93d4d1d5d7b1133b94a16e762f700f8e7

Download Submit
memory/4804-138-0x00000000021F0000-0x0000000002286000-memory.dmp

Filesize
600KB

Download
memory/4804-140-0x00000000021F0000-0x0000000002286000-memory.dmp

Filesize
600KB

Download
memory/4804-141-0x0000000010000000-0x000000001007B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing