gh0strat | b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2023 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
Size

579KB
MD5

fae10d3f91a9871b3b3379da6c61281e
SHA1

38703aac5334eb253f6604a3e0aaf5ed3187c7c6
SHA256

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c
SHA512

cf2d75c29d8e67227d4b3a2f51e5ab56d5080b0777df09e53d062d2ccafc2c74371fe4576c183d23d18d0a32e4a0961cfb58e14bf380dec6212e5a827bb875b0
SSDEEP

12288:zjwRywaO11fKZxRUeTTONFWTeinNFK0VIa9D5hJRqiNYbwPxN:IRzayKZse32DinNki9hfvNYbwPX

Score

10^/10

gh0strat rat

Malware Config

Extracted

Family

gh0strat

125.77.168.216

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1108-143-0x0000000002210000-0x0000000002226000-memory.dmp	family_gh0strat
behavioral2/memory/1108-172-0x0000000002210000-0x0000000002226000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

Executes dropped EXE 4 IoCs

Processes:

jecxz.exea.exea.exea.exe

pid process

1108 jecxz.exe
4740 a.exe
4444 a.exe
4732 a.exe

pid	process
1108	jecxz.exe
4740	a.exe
4444	a.exe
4732	a.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jecxz.exe

Modifies registry class 1 IoCs

Processes:

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exejecxz.exe

pid	process
2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
1108	jecxz.exe
1108	jecxz.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exejecxz.exe

pid	process
2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
1108	jecxz.exe
1108	jecxz.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

description	pid	process	target process
PID 2640 wrote to memory of 1108	2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	jecxz.exe
PID 2640 wrote to memory of 1108	2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	jecxz.exe
PID 2640 wrote to memory of 1108	2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	jecxz.exe
PID 2640 wrote to memory of 4740	2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	a.exe
PID 2640 wrote to memory of 4740	2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	a.exe
PID 2640 wrote to memory of 4740	2640	b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe	a.exe

C:\Users\Admin\AppData\Local\Temp\b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe
"C:\Users\Admin\AppData\Local\Temp\b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Public\jiudxz\jecxz.exe
C:\Users\Public\jiudxz\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -o -d C:\Users\Public\jiudxz C:\Users\Public\jiudxz\111.zip
2⤵
- Executes dropped EXE
PID:4740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3248

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -n -d C:\ProgramData C:\Users\Public\jiudxz\b.zip
1⤵
- Executes dropped EXE
PID:4444

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -n -d C:\ProgramData C:\Users\Public\jiudxz\b.zip
1⤵
- Executes dropped EXE
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows_denfendcx.lnk
Filesize
1KB

MD5
c907cbaad90a6e086965e9907a002eb8

SHA1
5b5de249ea7ca890f51652dfd80bc851ca4a70ce

SHA256
d00cdc9c69a47d4d6bfa605f3a5f6a6866dbb470fadf3b7d3cbc9e8de53764f1

SHA512
089b611191e2e5b547c9ee5a8eb10d94651530b0fb5c2d592b3cfdaa84c6d63245f2a8bda034fa14776c4921b082723fab59387e77e9949137c2a5e438f21f5a

Download Submit
C:\Users\Public\jiudxz\1
Filesize
122KB

MD5
664b45f632dc460686fb06e9d47f14e4

SHA1
ad2e8efd818b8ee5c384658b90ad06b756fae5b3

SHA256
a9deebbe48c982bf6bd8f244627f110809786124b9d5a2f40112095a63cd8234

SHA512
40ea8f0d7f486629ea9fece41ceb38ff5e6f6c754959d8eb31e68e7bb94fec3b09a5c9d6e7e35fc0a398c34f66507c6c50c87e7e9e4bfb45155a0d7f43de5355

Download Submit
C:\Users\Public\jiudxz\111.zip
Filesize
1.3MB

MD5
d58af45fe9e79e5a186387f6f845fc6f

SHA1
8b1e8d64f2641ef04cdf82c7ed32d08874215a2d

SHA256
0a1c8b00d7c5f7ebdfb2be3544aaf0c2c01f84dafbf3cc75c84a95bbe702b782

SHA512
2207d8031fe42a6c03d84b9b07d55726a2a4bd5074c47d00411845e68b89e9730555ec638bec025651a0e50c5fee9bef6a417c7b1eccb6e7c491c850a2137290

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\b.zip
Filesize
1KB

MD5
f44f02d78a5e136e6ab23306069535f1

SHA1
e1a4da6ce8ff800bbec20dd3d24ee6b09a997b0d

SHA256
cfefb6094f4a83f3da8a35aeff3e5d813716476536bfdd66f8d058882e9aa450

SHA512
639c981e95cc667ecd29aaee0df95d889bf7da2ee1aa3b2baa40836ee785c4cc2ab25f0c5455dedf6bb6681c645a0524bc3f29291bbe3995ca7a81c2feb9c503

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
C:\Users\Public\jiudxz\saxbn.exe
Filesize
350KB

MD5
45e0b1e56b803e9400aef913b0ee76f7

SHA1
5e99bab28b1e29ddf3d37bc38aacc1f5182dbd73

SHA256
f18a037a8ac26b970091057899047cb9237e420d3d194784a66e5d3068d893fa

SHA512
70cb1767dc52467d6ad84f8e876ef3a2d0f079788557fa23ab3062927ea9975734c8dbe3b1f524705954cc8ce74864f05c1ce5806dc0341aa9655399d2ab1e1c

Download Submit
memory/1108-143-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/1108-172-0x0000000002210000-0x0000000002226000-memory.dmp

Filesize
88KB

Download
memory/2640-157-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2640-133-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2640-136-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2640-135-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2640-134-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/2640-173-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/4444-166-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4732-171-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4740-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download