gh0strat | 0d58fbd6dca8e4428ffcd163c68f32dffb2e614ce0c45c9a0eb30dda43a0643e

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2023, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x22texe.exe
Size

2.2MB
MD5

71d7069f62819cdfb7c5e9f22fa4881a
SHA1

984f3237d69e9ed410a90a14a8689235f91ed6a9
SHA256

0d58fbd6dca8e4428ffcd163c68f32dffb2e614ce0c45c9a0eb30dda43a0643e
SHA512

8f836e03c6dd598a265fcd4fce9a9fecd45496bf1c4de48e12a0452f9c85f16218d5c942f6475dbd97ceafcd22d13b2d927324a94a28d8c73b036090651b6d01
SSDEEP

49152:K0n+AoM2lG9PiYTe1glkos4vGg/x1FnlcjhBUsK2bH50bcrrqnNlO5TPyv:K63P9PZTe1glkcP/x1FnlcjhKsK4ckr5

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/264-169-0x0000000002CE0000-0x0000000002D5B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation	x22texe.exe

Executes dropped EXE 1 IoCs

pid	Process
264	EvernoteMouseTray.exe

Loads dropped DLL 3 IoCs

pid	Process
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	EvernoteMouseTray.exe
File opened (read-only)	\??\M:	EvernoteMouseTray.exe
File opened (read-only)	\??\N:	EvernoteMouseTray.exe
File opened (read-only)	\??\P:	EvernoteMouseTray.exe
File opened (read-only)	\??\V:	EvernoteMouseTray.exe
File opened (read-only)	\??\G:	EvernoteMouseTray.exe
File opened (read-only)	\??\O:	EvernoteMouseTray.exe
File opened (read-only)	\??\Q:	EvernoteMouseTray.exe
File opened (read-only)	\??\R:	EvernoteMouseTray.exe
File opened (read-only)	\??\X:	EvernoteMouseTray.exe
File opened (read-only)	\??\Z:	EvernoteMouseTray.exe
File opened (read-only)	\??\B:	EvernoteMouseTray.exe
File opened (read-only)	\??\I:	EvernoteMouseTray.exe
File opened (read-only)	\??\J:	EvernoteMouseTray.exe
File opened (read-only)	\??\L:	EvernoteMouseTray.exe
File opened (read-only)	\??\S:	EvernoteMouseTray.exe
File opened (read-only)	\??\W:	EvernoteMouseTray.exe
File opened (read-only)	\??\Y:	EvernoteMouseTray.exe
File opened (read-only)	\??\H:	EvernoteMouseTray.exe
File opened (read-only)	\??\K:	EvernoteMouseTray.exe
File opened (read-only)	\??\T:	EvernoteMouseTray.exe
File opened (read-only)	\??\U:	EvernoteMouseTray.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EvernoteMouseTray.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EvernoteMouseTray.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe
264	EvernoteMouseTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3084	x22texe.exe
3084	x22texe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 264	3084	x22texe.exe	87
PID 3084 wrote to memory of 264	3084	x22texe.exe	87
PID 3084 wrote to memory of 264	3084	x22texe.exe	87

C:\Users\Admin\AppData\Local\Temp\x22texe.exe
"C:\Users\Admin\AppData\Local\Temp\x22texe.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Public\BitTorrent\EvernoteMouseTray.exe
  "C:\Users\Public\BitTorrent\EvernoteMouseTray.exe" /nb
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\BitTorrent\EvernoteMouseTray.dat

Filesize
61B

MD5
a00434358bbe0b19b060da55f20b0e41

SHA1
24d0c0c5762e84ea97250f6b5feadbb3416b7bb0

SHA256
9e89cb6deaebd991f1d07219e184b7f66c7109902490f3650adb312dee536469

SHA512
244ce476147c7e64c708577ea4df1d4df2db52d2b15163de2829b381f7c3e6f3a1285629936660b95688114c01606bb226e1ecc38edabb2243afcaa51e20aeb1

Download Submit
C:\Users\Public\BitTorrent\EvernoteMouseTray.exe

Filesize
149KB

MD5
4fd4dcbfd59638ed5df33fd79c457025

SHA1
facc5d38eaff98470b1e7d25c9a4a5f00b3c1c74

SHA256
de9e4c8948a558708fdf133078f0754badbc2ee33056e594375526358bdf1fd3

SHA512
05e7e28a715e7f02ce3ef310a7c37fe086565b091f55bf24735229f8253e26d872d33ed66eadb242d30f900172b3e0688dfc6d1aa48809b8b78092225500a4ca

Download Submit
C:\Users\Public\BitTorrent\EvernoteMouseTray.exe

Filesize
149KB

MD5
4fd4dcbfd59638ed5df33fd79c457025

SHA1
facc5d38eaff98470b1e7d25c9a4a5f00b3c1c74

SHA256
de9e4c8948a558708fdf133078f0754badbc2ee33056e594375526358bdf1fd3

SHA512
05e7e28a715e7f02ce3ef310a7c37fe086565b091f55bf24735229f8253e26d872d33ed66eadb242d30f900172b3e0688dfc6d1aa48809b8b78092225500a4ca

Download Submit
C:\Users\Public\BitTorrent\EvernoteMouseTray.exe

Filesize
149KB

MD5
4fd4dcbfd59638ed5df33fd79c457025

SHA1
facc5d38eaff98470b1e7d25c9a4a5f00b3c1c74

SHA256
de9e4c8948a558708fdf133078f0754badbc2ee33056e594375526358bdf1fd3

SHA512
05e7e28a715e7f02ce3ef310a7c37fe086565b091f55bf24735229f8253e26d872d33ed66eadb242d30f900172b3e0688dfc6d1aa48809b8b78092225500a4ca

Download Submit
C:\Users\Public\BitTorrent\donottrace.txt

Filesize
576KB

MD5
effec43871e10d187b024db02f78c7aa

SHA1
ca390697f4ad6e38fc5477eae79df39b3a128c06

SHA256
8138c99ad892ca0d2edbbcd07d5f5b899b13b4d40c8b2b82529a2e2c656e58cb

SHA512
0cd6daa67d95cd840f2a62979567719d1ada03bbf83bc2f7abac48db02df862df01a9993f6b3546785e6a12a478dff16244e338a5e16fbff606c6bf0293aeb79

Download Submit
C:\Users\Public\BitTorrent\dskinliteu.dll

Filesize
72KB

MD5
0db05c9d3ae3e1e63da83d2029599a9c

SHA1
25b24e73b9c4471bb6beafab6918d3c339b8b716

SHA256
fa47062e6e2336474e698909e9c70894298c345bd10b4d92d6690a77f9c2853a

SHA512
22ad6ca29216e2fd2ac5dc4bf44a327039913f3e73adb6622a11f0ed35f764462d6ed89d38dff0188aad98f9bf6d37c72d380d2433fd29631b8157f659dda052

Download Submit
C:\Users\Public\BitTorrent\dskinliteu.dll

Filesize
72KB

MD5
0db05c9d3ae3e1e63da83d2029599a9c

SHA1
25b24e73b9c4471bb6beafab6918d3c339b8b716

SHA256
fa47062e6e2336474e698909e9c70894298c345bd10b4d92d6690a77f9c2853a

SHA512
22ad6ca29216e2fd2ac5dc4bf44a327039913f3e73adb6622a11f0ed35f764462d6ed89d38dff0188aad98f9bf6d37c72d380d2433fd29631b8157f659dda052

Download Submit
C:\Users\Public\BitTorrent\dskinliteuOrg.DLL

Filesize
736KB

MD5
7d32c1cb7b675a7e4ee98d390adc4b1a

SHA1
b591f65c0e878ad45bc4dbbe3f1a8936ad3ec5e5

SHA256
81ae7d860774a9280705917ddfebca7aef43f9dd24db369c8e938535ad1854a7

SHA512
596c226ae33ebbce5ffa752a54869fb1b8fe3cf9f72c02390eeab19b41e8e20709bbdf7229342ad4dac75fb4150acf12a308571ed28ccfc425595d5c8b9ce315

Download Submit
C:\Users\Public\BitTorrent\dskinliteuOrg.dll

Filesize
736KB

MD5
7d32c1cb7b675a7e4ee98d390adc4b1a

SHA1
b591f65c0e878ad45bc4dbbe3f1a8936ad3ec5e5

SHA256
81ae7d860774a9280705917ddfebca7aef43f9dd24db369c8e938535ad1854a7

SHA512
596c226ae33ebbce5ffa752a54869fb1b8fe3cf9f72c02390eeab19b41e8e20709bbdf7229342ad4dac75fb4150acf12a308571ed28ccfc425595d5c8b9ce315

Download Submit
C:\Users\Public\BitTorrent\dskinliteuOrg.dll

Filesize
736KB

MD5
7d32c1cb7b675a7e4ee98d390adc4b1a

SHA1
b591f65c0e878ad45bc4dbbe3f1a8936ad3ec5e5

SHA256
81ae7d860774a9280705917ddfebca7aef43f9dd24db369c8e938535ad1854a7

SHA512
596c226ae33ebbce5ffa752a54869fb1b8fe3cf9f72c02390eeab19b41e8e20709bbdf7229342ad4dac75fb4150acf12a308571ed28ccfc425595d5c8b9ce315

Download Submit
C:\Users\Public\BitTorrent\task.dat

Filesize
114B

MD5
367fc228ac4284bf7f40e9cb08e9ed1d

SHA1
9fe496bf5d071d9dfb80ca1ad333de8930bf45ad

SHA256
6bcd1068152e7f7e1b1127715f0c8183c8edb433cc4fdabb79882dda2683a6e3

SHA512
c162dd6bfc7bc90caccea66975e6ddd3edfee926f2251a2dcf55c6c35e3a997840ff6ee4dfaad49ad9ad321afb7ea672f369d50dc60dde2679ea4073f62467f1

Download Submit
memory/264-161-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/264-163-0x0000000003160000-0x00000000031F6000-memory.dmp

Filesize
600KB

Download
memory/264-169-0x0000000002CE0000-0x0000000002D5B000-memory.dmp

Filesize
492KB

Download
memory/264-159-0x0000000002C20000-0x0000000002CDA000-memory.dmp

Filesize
744KB

Download