gh0strat | 7ee5450afa7aae8af9ed319028de5a080dc554ee52b9eabf14117c61850b89b6

Resubmissions

20-06-2023 15:51

230620-tarzwaeb41 10

20-06-2023 15:47

230620-s8kssaeb31 10

Analysis

max time kernel
60s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2023 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

maochilaoshu.exe
Size

2.9MB
MD5

0772c75ff821f29e479ddc1da9a87740
SHA1

a06b6ed12126982f590893526ae6e3eec56ee4fc
SHA256

97c0b79f8421a1b0c3ef8129564ecf8b6ef037bdd432c8e856fd84e5d207edf4
SHA512

f0c40bb177c6ec4879840410fd0510bdf3c5d3e6a0de8d8f4ca98c23d0557f41f3e557184637ee9b29821b24927d5cea2951b118c84f5164a65ed3a580631286
SSDEEP

49152:WVbFeZNzXNBukNbW1Z6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcQ:ubONzdBPKg3Yz5J/693kb

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/4424-175-0x0000000010000000-0x0000000010192000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4424-175-0x0000000010000000-0x0000000010192000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

maochilaoshu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	maochilaoshu.exe

Executes dropped EXE 3 IoCs

Processes:

v.exev.exejerryrat.exe

pid process

248 v.exe
3200 v.exe
4424 jerryrat.exe

pid	process
248	v.exe
3200	v.exe
4424	jerryrat.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jerryrat.exe

description	ioc	process
File opened (read-only)	\??\J:	jerryrat.exe
File opened (read-only)	\??\M:	jerryrat.exe
File opened (read-only)	\??\X:	jerryrat.exe
File opened (read-only)	\??\Y:	jerryrat.exe
File opened (read-only)	\??\B:	jerryrat.exe
File opened (read-only)	\??\K:	jerryrat.exe
File opened (read-only)	\??\P:	jerryrat.exe
File opened (read-only)	\??\R:	jerryrat.exe
File opened (read-only)	\??\O:	jerryrat.exe
File opened (read-only)	\??\U:	jerryrat.exe
File opened (read-only)	\??\E:	jerryrat.exe
File opened (read-only)	\??\G:	jerryrat.exe
File opened (read-only)	\??\H:	jerryrat.exe
File opened (read-only)	\??\I:	jerryrat.exe
File opened (read-only)	\??\L:	jerryrat.exe
File opened (read-only)	\??\V:	jerryrat.exe
File opened (read-only)	\??\W:	jerryrat.exe
File opened (read-only)	\??\Z:	jerryrat.exe
File opened (read-only)	\??\F:	jerryrat.exe
File opened (read-only)	\??\N:	jerryrat.exe
File opened (read-only)	\??\Q:	jerryrat.exe
File opened (read-only)	\??\S:	jerryrat.exe
File opened (read-only)	\??\T:	jerryrat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jerryrat.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jerryrat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jerryrat.exe

Modifies registry class 1 IoCs

Processes:

maochilaoshu.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings maochilaoshu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	maochilaoshu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

maochilaoshu.exejerryrat.exe

pid	process
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4176	maochilaoshu.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe
4424	jerryrat.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

maochilaoshu.exehh.exehh.exehh.exe

pid process

4176 maochilaoshu.exe
4176 maochilaoshu.exe
1336 hh.exe
1336 hh.exe
3684 hh.exe
3684 hh.exe
3848 hh.exe
3848 hh.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

maochilaoshu.execmd.exe

description	pid	process	target process
PID 4176 wrote to memory of 1900	4176	maochilaoshu.exe	cmd.exe
PID 4176 wrote to memory of 1900	4176	maochilaoshu.exe	cmd.exe
PID 4176 wrote to memory of 1900	4176	maochilaoshu.exe	cmd.exe
PID 1900 wrote to memory of 3084	1900	cmd.exe	reg.exe
PID 1900 wrote to memory of 3084	1900	cmd.exe	reg.exe
PID 1900 wrote to memory of 3084	1900	cmd.exe	reg.exe
PID 4176 wrote to memory of 248	4176	maochilaoshu.exe	v.exe
PID 4176 wrote to memory of 248	4176	maochilaoshu.exe	v.exe
PID 4176 wrote to memory of 248	4176	maochilaoshu.exe	v.exe
PID 4176 wrote to memory of 3200	4176	maochilaoshu.exe	v.exe
PID 4176 wrote to memory of 3200	4176	maochilaoshu.exe	v.exe
PID 4176 wrote to memory of 3200	4176	maochilaoshu.exe	v.exe
PID 4176 wrote to memory of 4424	4176	maochilaoshu.exe	jerryrat.exe
PID 4176 wrote to memory of 4424	4176	maochilaoshu.exe	jerryrat.exe
PID 4176 wrote to memory of 4424	4176	maochilaoshu.exe	jerryrat.exe

C:\Users\Admin\AppData\Local\Temp\maochilaoshu.exe
"C:\Users\Admin\AppData\Local\Temp\maochilaoshu.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
3⤵
PID:3084

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
2⤵
- Executes dropped EXE
PID:248

C:\Users\Public\xiaodaxzqxia\v.exe
"C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\ma
2⤵
- Executes dropped EXE
PID:3200

C:\Users\Public\xiaodaxzqxia\jerryrat.exe
C:\Users\Public\xiaodaxzqxia\jerryrat.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:892

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5267770094464106\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5267770094464106\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\5267770094464106\A11.chm
1⤵
- Suspicious use of SetWindowsHookEx
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
Filesize
8KB

MD5
ccbec2d090894178ce950544cd652325

SHA1
8cfbecddeb69db2cae91204709467718725fd691

SHA256
1918efa04c1930b7407c4dbe8cf725302c5cc57dcfebdbeb019b1e3cad65676a

SHA512
f54dfd15e98cd4d100a29f0f78e60f511ac7a479ac38db5c1c0aa872310fddd2f9270c91d1d31ec1fcaf6260ec04cc91f5ca667b18b150e8dfb97b7f7c674796

Download Submit
C:\Users\Public\cxzvasdfg\5267770094464106\A11.chm
Filesize
11KB

MD5
db7961bf21e69e9cdbbfbc5357b6ae84

SHA1
6b43da6f1a502cc3ede9a46a71536e79335e3169

SHA256
49c7fc9d58e588bdcac23d7d576b699d49d5497de8afcb73be23cab89edf3b0e

SHA512
e0c7f502e60c9a15d407416645266614dd1e29c42c4711f1f3e10bd0de4c2404994fc71d3cb73a5ca56977afdf36f96c4e60b2bccce7459a1988877f197312f8

Download Submit
C:\Users\Public\xiaodaxzqxia\111
Filesize
1.5MB

MD5
6a37b4b3fa7c30242de550f429aedef1

SHA1
f7996877a0cdae7c6328c19c35f430f90803cae1

SHA256
a52e30d8dc89acd2e22fb56e95c919ed87fe908b829e77f380e284d9a2312776

SHA512
c715f6c0588f5534c79c5580840f412ca8693e546551b5786bedc8c8a1d76af36d8fb5b8fe19435b9ec182da19ff27b81693a739674ee83de52d103d6a8fd1f8

Download Submit
C:\Users\Public\xiaodaxzqxia\jerryrat.exe
Filesize
101.8MB

MD5
bf1b730495a79f66eab2aac35a0b2817

SHA1
d89578047501d4e220de0a47872f1515117153a2

SHA256
c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8

SHA512
e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4

Download Submit
C:\Users\Public\xiaodaxzqxia\jerryrat.exe
Filesize
101.8MB

MD5
bf1b730495a79f66eab2aac35a0b2817

SHA1
d89578047501d4e220de0a47872f1515117153a2

SHA256
c823dd3f6793fb25914a64329dff85d770929df1dd1561bff47c59033aecdbd8

SHA512
e49bb70fd9608cbabb9e433b441224aaf46df31526b82c9463711b21e3ffa34c03c459eab25ca89f70949118fed9c5cb4113498a6263cdefaeef6f61e81c7bd4

Download Submit
C:\Users\Public\xiaodaxzqxia\ma
Filesize
799KB

MD5
d66f3d98bb9260a2f25cb79fc43253d7

SHA1
74862b6db445959a9ef16a51b73c3dcedbe9be81

SHA256
64d9b2c4e4772ba2ee30f878aa0d006983b4de15764c8e7ddae74dc39611857c

SHA512
a830419304436966604f97022c9f938041196596f50864bee31ddda1d401e93e3f0494263652c8e3de277c81e6bb84eb20222efaea75c1af1ece374fe555b46c

Download Submit
C:\Users\Public\xiaodaxzqxia\n.bat
Filesize
263B

MD5
c7d8b33e05722104d63de564a5d92b01

SHA1
fd703f1c71ac1dae65dc34f3521854604cec8091

SHA256
538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

SHA512
54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
C:\Users\Public\xiaodaxzqxia\v.exe
Filesize
161KB

MD5
fecf803f7d84d4cfa81277298574d6e6

SHA1
0fd9a61bf9a361f87661de295e70a9c6795fe6a1

SHA256
81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

SHA512
a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

Download Submit
memory/248-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3200-171-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4424-175-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download

pid	process
4176	maochilaoshu.exe
4176	maochilaoshu.exe
1336	hh.exe
1336	hh.exe
3684	hh.exe
3684	hh.exe
3848	hh.exe
3848	hh.exe