gh0strat | 02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43

Analysis

max time kernel
135s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2023 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe
Size

580KB
MD5

87d748a0ae1ec45b8ace9a2ceb6a3766
SHA1

e7d124c1b12e65d52f72f808731b3f0184a6ce10
SHA256

02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43
SHA512

02ea5c169f831955fd08769261fc04ab7c20fe7c53d41a1d3044323c6353d6cd41a36a8576688fcff2e540d245adaba7fa70b9180f1027b94fc59d413c5fa5eb
SSDEEP

12288:I13jViY02vmO1oiRFr2vFrajw5Gc/kqO:QiY0+mOjErC2xcqO

Score

10^/10

gh0strat rat

Malware Config

Extracted

Family

gh0strat

125.77.168.181

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1464-143-0x0000000000610000-0x0000000000626000-memory.dmp	family_gh0strat
behavioral2/memory/1464-172-0x0000000000610000-0x0000000000626000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe

Executes dropped EXE 4 IoCs

Processes:

jecxz.exea.exea.exea.exe

pid process

1464 jecxz.exe
2372 a.exe
2424 a.exe
3508 a.exe

pid	process
1464	jecxz.exe
2372	a.exe
2424	a.exe
3508	a.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
File opened (read-only)	\??\U:	jecxz.exe
File opened (read-only)	\??\X:	jecxz.exe
File opened (read-only)	\??\N:	jecxz.exe
File opened (read-only)	\??\R:	jecxz.exe
File opened (read-only)	\??\S:	jecxz.exe
File opened (read-only)	\??\Q:	jecxz.exe
File opened (read-only)	\??\T:	jecxz.exe
File opened (read-only)	\??\V:	jecxz.exe
File opened (read-only)	\??\W:	jecxz.exe
File opened (read-only)	\??\G:	jecxz.exe
File opened (read-only)	\??\H:	jecxz.exe
File opened (read-only)	\??\J:	jecxz.exe
File opened (read-only)	\??\B:	jecxz.exe
File opened (read-only)	\??\K:	jecxz.exe
File opened (read-only)	\??\L:	jecxz.exe
File opened (read-only)	\??\M:	jecxz.exe
File opened (read-only)	\??\O:	jecxz.exe
File opened (read-only)	\??\P:	jecxz.exe
File opened (read-only)	\??\E:	jecxz.exe
File opened (read-only)	\??\F:	jecxz.exe
File opened (read-only)	\??\I:	jecxz.exe
File opened (read-only)	\??\Y:	jecxz.exe
File opened (read-only)	\??\Z:	jecxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jecxz.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jecxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jecxz.exe

Modifies registry class 1 IoCs

Processes:

02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exejecxz.exe

pid	process
4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe
4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe
1464	jecxz.exe
1464	jecxz.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exejecxz.exe

pid	process
4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe
4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe
1464	jecxz.exe
1464	jecxz.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe

description	pid	process	target process
PID 4400 wrote to memory of 1464	4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe	jecxz.exe
PID 4400 wrote to memory of 1464	4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe	jecxz.exe
PID 4400 wrote to memory of 1464	4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe	jecxz.exe
PID 4400 wrote to memory of 2372	4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe	a.exe
PID 4400 wrote to memory of 2372	4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe	a.exe
PID 4400 wrote to memory of 2372	4400	02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe	a.exe

C:\Users\Admin\AppData\Local\Temp\02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe
"C:\Users\Admin\AppData\Local\Temp\02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Public\jiudxz\jecxz.exe
C:\Users\Public\jiudxz\jecxz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -o -d C:\Users\Public\jiudxz C:\Users\Public\jiudxz\111.zip
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2764

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -n -d C:\ProgramData C:\Users\Public\jiudxz\b.zip
1⤵
- Executes dropped EXE
PID:2424

C:\Users\Public\jiudxz\a.exe
"C:\Users\Public\jiudxz\a.exe" -n -d C:\ProgramData C:\Users\Public\jiudxz\b.zip
1⤵
- Executes dropped EXE
PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows_denfendcx.lnk
Filesize
1KB

MD5
c907cbaad90a6e086965e9907a002eb8

SHA1
5b5de249ea7ca890f51652dfd80bc851ca4a70ce

SHA256
d00cdc9c69a47d4d6bfa605f3a5f6a6866dbb470fadf3b7d3cbc9e8de53764f1

SHA512
089b611191e2e5b547c9ee5a8eb10d94651530b0fb5c2d592b3cfdaa84c6d63245f2a8bda034fa14776c4921b082723fab59387e77e9949137c2a5e438f21f5a

Download Submit
C:\Users\Public\jiudxz\1
Filesize
122KB

MD5
025cb2d0bc04373cede6c1d4a66860a7

SHA1
087267438939030b7a639d71ce36e37ad744f803

SHA256
a5d86f16c35b8cc37123513e9825b7540d13dac712f9f01ce0b23079827d4206

SHA512
3cfa1b7a3f4cc509f3e33155508d5a0c32e4e829e01bb2217bfcd2706fed2114d28b9590bfecbba734b34a9905d57c66f90f2b3b72cd4c4f7adb2642c06189e5

Download Submit
C:\Users\Public\jiudxz\111.zip
Filesize
1.3MB

MD5
53d1c63890482c3279e503a1360588db

SHA1
ce41732262af72ee810e9d5ed6b3c435b8516f76

SHA256
d5a74cf2501c9c386f8d586f17f14ed4fa4a77436c857b51eb221a5106c6ebcf

SHA512
fe6d93e7e8f0af0ed1dd1fbfebcb9bddddfa284f6db6a056ea64f3ef7ade72380d10a316343f29f2e836174b0060e24210948b3b92cc055944ca870b6ca470b8

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\a.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\jiudxz\b.zip
Filesize
1KB

MD5
f44f02d78a5e136e6ab23306069535f1

SHA1
e1a4da6ce8ff800bbec20dd3d24ee6b09a997b0d

SHA256
cfefb6094f4a83f3da8a35aeff3e5d813716476536bfdd66f8d058882e9aa450

SHA512
639c981e95cc667ecd29aaee0df95d889bf7da2ee1aa3b2baa40836ee785c4cc2ab25f0c5455dedf6bb6681c645a0524bc3f29291bbe3995ca7a81c2feb9c503

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
C:\Users\Public\jiudxz\jecxz.exe
Filesize
1008KB

MD5
e392cdd1a09a7510225aa614a1bbea11

SHA1
a0c79045eafc0b211843ec425a08af35464e5698

SHA256
349c714ea4218250fcd81ed0d180e7ff06926de8dec907709a0daec63fa3c2c2

SHA512
ba5dfb32a591d3fb8e1de4962746dad91c2f92e678ff06464d2a06626586bfd871ea975eb462b2a6f557b807611542adebe8735e350e80a7967a531b370026a7

Download Submit
C:\Users\Public\jiudxz\saxbn.exe
Filesize
350KB

MD5
45e0b1e56b803e9400aef913b0ee76f7

SHA1
5e99bab28b1e29ddf3d37bc38aacc1f5182dbd73

SHA256
f18a037a8ac26b970091057899047cb9237e420d3d194784a66e5d3068d893fa

SHA512
70cb1767dc52467d6ad84f8e876ef3a2d0f079788557fa23ab3062927ea9975734c8dbe3b1f524705954cc8ce74864f05c1ce5806dc0341aa9655399d2ab1e1c

Download Submit
memory/1464-143-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/1464-172-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/2372-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2424-166-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3508-171-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4400-160-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/4400-133-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/4400-136-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/4400-135-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/4400-134-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/4400-173-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download