gh0strat | e7bf6176eb0f048d92c32f88265fb268e1fcb95c010b8ac561a830b20be0b756

Analysis

max time kernel
118s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-06-2023 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe
Size

1.9MB
MD5

5180aed5b965547e91efa008b717f60e
SHA1

54880ff5d78461ce44c360eac1d6b78324f2d9ac
SHA256

e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418
SHA512

7ff238fe96ee8d6261a7b2c966695b1beed388b8c5d015e4b3398c6ac25542b6a999814034076f7091b6e64db6f63e07b27d119a128599b3704d21654d254623
SSDEEP

49152:sD570Xqsslj++UXO26hSrtML/eYxkkdLqVK5zBO6LvVV1WWhxU9BJ:s0Xqssl1UXOnSrtML/eYxkkdLqUxZV3I

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral17/memory/1680-85-0x0000000002420000-0x000000000249B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe

description pid process target process

PID 1196 created 1360 1196 e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe Explorer.EXE
Executes dropped EXE 1 IoCs

Processes:

ypager.exe

pid process

1680 ypager.exe

description	pid	process	target process
PID 1196 created 1360	1196	e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe	Explorer.EXE

pid	process
1680	ypager.exe

Loads dropped DLL 4 IoCs

Processes:

e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exeypager.exe

pid	process
1196	e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe
1196	e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe
1680	ypager.exe
1680	ypager.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ypager.exe

description	ioc	process
File opened (read-only)	\??\E:	ypager.exe
File opened (read-only)	\??\F:	ypager.exe
File opened (read-only)	\??\I:	ypager.exe
File opened (read-only)	\??\L:	ypager.exe
File opened (read-only)	\??\M:	ypager.exe
File opened (read-only)	\??\R:	ypager.exe
File opened (read-only)	\??\Y:	ypager.exe
File opened (read-only)	\??\H:	ypager.exe
File opened (read-only)	\??\J:	ypager.exe
File opened (read-only)	\??\O:	ypager.exe
File opened (read-only)	\??\S:	ypager.exe
File opened (read-only)	\??\T:	ypager.exe
File opened (read-only)	\??\V:	ypager.exe
File opened (read-only)	\??\Z:	ypager.exe
File opened (read-only)	\??\B:	ypager.exe
File opened (read-only)	\??\K:	ypager.exe
File opened (read-only)	\??\P:	ypager.exe
File opened (read-only)	\??\Q:	ypager.exe
File opened (read-only)	\??\W:	ypager.exe
File opened (read-only)	\??\G:	ypager.exe
File opened (read-only)	\??\N:	ypager.exe
File opened (read-only)	\??\U:	ypager.exe
File opened (read-only)	\??\X:	ypager.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ypager.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ypager.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ypager.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exeypager.exe

pid	process
1196	e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe
1680	ypager.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exeypager.exe

pid process

1196 e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe
1680 ypager.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe

description	pid	process	target process
PID 1196 wrote to memory of 1680	1196	e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe	ypager.exe
PID 1196 wrote to memory of 1680	1196	e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe	ypager.exe
PID 1196 wrote to memory of 1680	1196	e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe	ypager.exe
PID 1196 wrote to memory of 1680	1196	e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe	ypager.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe
"C:\Users\Admin\AppData\Local\Temp\e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Public\WinZip\ypager.exe
/mnfgkr
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\WinZip\ULPSCtrl.DLL
Filesize
3.1MB

MD5
e9b960187e2f0fbd52b72b998948bc59

SHA1
8d0fa9ee8e2ba8c00b8488f29d7ea42f571229d4

SHA256
3fc415e6865a071147927e0a4b163e9674f03c141be64d0b73ba3fdf326979c6

SHA512
1133c5d74f1740057ed5ae693f325a1ddeb71c539f8fef3319bee36dad3a81c18aeb4e623d9cc8a7838727b3960542513d176f7894858335eef4138af352d116

Download Submit
C:\Users\Public\WinZip\donottrace.txt
Filesize
576KB

MD5
b6678d622d68b2e0d7ca40d90a2f3364

SHA1
c7024ff30e61497fcc084f49d3a3970f448ef979

SHA256
1a22b5a54359e3db68ad451cf62f76e1b59ab0c6b06f2960078b812889fc1049

SHA512
217d6b3b950204884697d56e66abf6172400f8d7b959957fdebbb7528c0a9413ca664f90fe1c047bdea95fdb1361ed0513ff31a655b4a53f890f6a349e89561d

Download Submit
C:\Users\Public\WinZip\task.dat
Filesize
88B

MD5
9b33574eaac428c3ad1a2c5ae13f2c13

SHA1
31714b1b191635b00d7afa2d1ebe1c2f94848d9b

SHA256
42d6db62d64514cadf4e71786e61f3bed8ce4c4fb528b8fe392a0631657890ca

SHA512
5ee16b4c35006139f4a0a0acacbe895e16e2b137dd20368dfc45c756c35b547cc5c6589604c7f81df555a15bd8981aa4179805070a7380c7c855bb5cf9d48cde

Download Submit
C:\Users\Public\WinZip\toollib.dll
Filesize
106KB

MD5
f945e5b62ea2965f45b883401161df6e

SHA1
39accf7996725159c177e4286c8458f87d8e5b75

SHA256
9f2a815953cc477e94ab510b564f3318be4a5d3d8ed61ada94ae5c0ffc7f5635

SHA512
b282c2d3676e853dcc2f98259e4b8c76b8d32fac191a1f9f77989bb39960f4083de3bb3aa6e7da1511444605ae508d190ed704843eec3fcbb4d87280919be973

Download Submit
C:\Users\Public\WinZip\ypager.dat
Filesize
61B

MD5
2b2a26061e72a2e4f46ee4cb177856e3

SHA1
eafc87cba0a3dd5f6ce752f92959b2817d5a76b4

SHA256
f8371db77094456c22dd527c85bb32ff72d9e62295ea23bba64e4753ad45070e

SHA512
ca77afe2acfa9ceae071858b3ed679a14b5371b38c77bcd3681c4e78160dc9ccd21e164e8255f4c202b8d42142111255f14e4885fff49d4fb3c5a7e805d7c2ca

Download Submit
C:\Users\Public\WinZip\ypager.exe
Filesize
384KB

MD5
7a07c09670406aa5e6b1e06aab0eb051

SHA1
6f4cb11d4eae23e39453339be261f6895e5bbfe3

SHA256
28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

SHA512
f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

Download Submit
C:\Users\Public\WinZip\ypager.exe
Filesize
384KB

MD5
7a07c09670406aa5e6b1e06aab0eb051

SHA1
6f4cb11d4eae23e39453339be261f6895e5bbfe3

SHA256
28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

SHA512
f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

Download Submit
C:\Users\Public\WinZip\ypager.exe
Filesize
384KB

MD5
7a07c09670406aa5e6b1e06aab0eb051

SHA1
6f4cb11d4eae23e39453339be261f6895e5bbfe3

SHA256
28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

SHA512
f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

Download Submit
\Users\Public\WinZip\ULPSCtrl.dll
Filesize
3.1MB

MD5
e9b960187e2f0fbd52b72b998948bc59

SHA1
8d0fa9ee8e2ba8c00b8488f29d7ea42f571229d4

SHA256
3fc415e6865a071147927e0a4b163e9674f03c141be64d0b73ba3fdf326979c6

SHA512
1133c5d74f1740057ed5ae693f325a1ddeb71c539f8fef3319bee36dad3a81c18aeb4e623d9cc8a7838727b3960542513d176f7894858335eef4138af352d116

Download Submit
\Users\Public\WinZip\toollib.dll
Filesize
106KB

MD5
f945e5b62ea2965f45b883401161df6e

SHA1
39accf7996725159c177e4286c8458f87d8e5b75

SHA256
9f2a815953cc477e94ab510b564f3318be4a5d3d8ed61ada94ae5c0ffc7f5635

SHA512
b282c2d3676e853dcc2f98259e4b8c76b8d32fac191a1f9f77989bb39960f4083de3bb3aa6e7da1511444605ae508d190ed704843eec3fcbb4d87280919be973

Download Submit
\Users\Public\WinZip\ypager.exe
Filesize
384KB

MD5
7a07c09670406aa5e6b1e06aab0eb051

SHA1
6f4cb11d4eae23e39453339be261f6895e5bbfe3

SHA256
28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

SHA512
f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

Download Submit
\Users\Public\WinZip\ypager.exe
Filesize
384KB

MD5
7a07c09670406aa5e6b1e06aab0eb051

SHA1
6f4cb11d4eae23e39453339be261f6895e5bbfe3

SHA256
28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

SHA512
f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

Download Submit
memory/1680-75-0x0000000001CC0000-0x0000000002072000-memory.dmp

Filesize
3.7MB

Download
memory/1680-79-0x0000000002380000-0x0000000002416000-memory.dmp

Filesize
600KB

Download
memory/1680-85-0x0000000002420000-0x000000000249B000-memory.dmp

Filesize
492KB

Download