gh0strat | b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c

Analysis

max time kernel
34s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
Size

579KB
MD5

fae10d3f91a9871b3b3379da6c61281e
SHA1

38703aac5334eb253f6604a3e0aaf5ed3187c7c6
SHA256

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c
SHA512

cf2d75c29d8e67227d4b3a2f51e5ab56d5080b0777df09e53d062d2ccafc2c74371fe4576c183d23d18d0a32e4a0961cfb58e14bf380dec6212e5a827bb875b0
SSDEEP

12288:zjwRywaO11fKZxRUeTTONFWTeinNFK0VIa9D5hJRqiNYbwPxN:IRzayKZse32DinNki9hfvNYbwPX

Score

10^/10

gh0strat rat

Malware Config

Extracted

Family

gh0strat

125.77.168.216

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1676-69-0x0000000000270000-0x0000000000286000-memory.dmp	family_gh0strat
behavioral1/memory/1676-93-0x0000000000270000-0x0000000000286000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

jecxz.exea.exe

pid process

1676 jecxz.exe
1604 a.exe

pid	process
1676	jecxz.exe
1604	a.exe

Loads dropped DLL 4 IoCs

Processes:

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

pid	process
1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jecxz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exejecxz.exe

pid process

1232 b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
1676 jecxz.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exejecxz.exe

pid	process
1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
1676	jecxz.exe
1676	jecxz.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

description	pid	process	target process
PID 1232 wrote to memory of 1676	1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	jecxz.exe
PID 1232 wrote to memory of 1676	1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	jecxz.exe
PID 1232 wrote to memory of 1676	1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	jecxz.exe
PID 1232 wrote to memory of 1676	1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	jecxz.exe
PID 1232 wrote to memory of 1604	1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	a.exe
PID 1232 wrote to memory of 1604	1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	a.exe
PID 1232 wrote to memory of 1604	1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	a.exe
PID 1232 wrote to memory of 1604	1232	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	a.exe

C:\Users\Admin\AppData\Local\Temp\b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
"C:\Users\Admin\AppData\Local\Temp\b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Public\jiudxz\jecxz.exe
C:\Users\Public\jiudxz\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -o -d C:\Users\Public\jiudxz C:\Users\Public\jiudxz\111.zip
2⤵
- Executes dropped EXE
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\jiudxz\1
Filesize
122KB

MD5
664b45f632dc460686fb06e9d47f14e4

SHA1
ad2e8efd818b8ee5c384658b90ad06b756fae5b3

SHA256
a9deebbe48c982bf6bd8f244627f110809786124b9d5a2f40112095a63cd8234

SHA512
40ea8f0d7f486629ea9fece41ceb38ff5e6f6c754959d8eb31e68e7bb94fec3b09a5c9d6e7e35fc0a398c34f66507c6c50c87e7e9e4bfb45155a0d7f43de5355

Download Submit
C:\Users\Public\jiudxz\111.zip
Filesize
1.3MB

MD5
d58af45fe9e79e5a186387f6f845fc6f

SHA1
8b1e8d64f2641ef04cdf82c7ed32d08874215a2d

SHA256
0a1c8b00d7c5f7ebdfb2be3544aaf0c2c01f84dafbf3cc75c84a95bbe702b782

SHA512
2207d8031fe42a6c03d84b9b07d55726a2a4bd5074c47d00411845e68b89e9730555ec638bec025651a0e50c5fee9bef6a417c7b1eccb6e7c491c850a2137290

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
memory/1232-74-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1232-54-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1232-59-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1232-57-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1232-56-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1232-55-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1232-92-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1232-95-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/1604-90-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1676-69-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/1676-93-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download