gh0strat | 1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7

Analysis

max time kernel
117s
max time network
148s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7.exe
Size

3.1MB
MD5

afda95541d982e00709ed9d5e3b67d41
SHA1

ffc360180e44a92a7faa6a996028f33701b5e6b1
SHA256

1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7
SHA512

f10acc956fe2d50547edf24d763ceea4bc66fa801545068adadc1c7765896d45d4e2ada253413453d60266382a0cf8dcc33a8663215cd8225cdd428d9776f5f7
SSDEEP

98304:LFBpdAoM5C3Vz6+OYT5Z+ljDKEjJH5BNFFnWoEaa4OiZrq1DfPHNADtV6v+m:hBpmUVz9n+ljx7nWoEr4O7NADtV6v+m

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/1156-42-0x0000000010000000-0x000000001007B000-memory.dmp	family_gh0strat
behavioral1/memory/1156-59-0x00000000022D0000-0x0000000002366000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
1156	EvernoteMouseTray.exe

Loads dropped DLL 6 IoCs

pid	Process
1096	1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	EvernoteMouseTray.exe
File opened (read-only)	\??\I:	EvernoteMouseTray.exe
File opened (read-only)	\??\O:	EvernoteMouseTray.exe
File opened (read-only)	\??\G:	EvernoteMouseTray.exe
File opened (read-only)	\??\J:	EvernoteMouseTray.exe
File opened (read-only)	\??\U:	EvernoteMouseTray.exe
File opened (read-only)	\??\V:	EvernoteMouseTray.exe
File opened (read-only)	\??\Y:	EvernoteMouseTray.exe
File opened (read-only)	\??\B:	EvernoteMouseTray.exe
File opened (read-only)	\??\E:	EvernoteMouseTray.exe
File opened (read-only)	\??\M:	EvernoteMouseTray.exe
File opened (read-only)	\??\R:	EvernoteMouseTray.exe
File opened (read-only)	\??\S:	EvernoteMouseTray.exe
File opened (read-only)	\??\Z:	EvernoteMouseTray.exe
File opened (read-only)	\??\T:	EvernoteMouseTray.exe
File opened (read-only)	\??\W:	EvernoteMouseTray.exe
File opened (read-only)	\??\X:	EvernoteMouseTray.exe
File opened (read-only)	\??\K:	EvernoteMouseTray.exe
File opened (read-only)	\??\L:	EvernoteMouseTray.exe
File opened (read-only)	\??\N:	EvernoteMouseTray.exe
File opened (read-only)	\??\P:	EvernoteMouseTray.exe
File opened (read-only)	\??\Q:	EvernoteMouseTray.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EvernoteMouseTray.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EvernoteMouseTray.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe
1156	EvernoteMouseTray.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1156	EvernoteMouseTray.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1156	EvernoteMouseTray.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1096	1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7.exe
1156	EvernoteMouseTray.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1156	1096	1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7.exe	28
PID 1096 wrote to memory of 1156	1096	1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7.exe	28
PID 1096 wrote to memory of 1156	1096	1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7.exe	28
PID 1096 wrote to memory of 1156	1096	1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7.exe	28

C:\Users\Admin\AppData\Local\Temp\1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7.exe
"C:\Users\Admin\AppData\Local\Temp\1fce8b9f38fcc8ba94217892687dd2663a450fb120f12bbc520865b7055742a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Public\BitTorrent\EvernoteMouseTray.exe
  "C:\Users\Public\BitTorrent\EvernoteMouseTray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\BitTorrent\EvernoteMouseTray.dat

Filesize
61B

MD5
0fcbd853e01aa6f177d2f3b67545bc82

SHA1
9f74a379dbe44723656abcb0ec21aaf1f1cebe36

SHA256
6ae6a905c577e823c39a5edf6c6497b801f97308b8d0d0a42f7fe3fe379de513

SHA512
2900c3a4e1ce53fbc85a022e9740baa2c1a9d3d3c4cf7e8ad3452d64a2d4981e51699ecd2dfe40707fd07b4fc81d16aed417df24e1c05974e5e07b4a1bdd1bc5

Download Submit
C:\Users\Public\BitTorrent\EvernoteMouseTray.exe

Filesize
2.0MB

MD5
2ff236ca982bc4fdd29586ab77c49fdd

SHA1
187b43ea891e01b6530d249b988c713d826c04e7

SHA256
9064ab3843cb154f46a2e4d9a5d0f2df9bedd1a684efaba8a6e94cb77070edf3

SHA512
c43f693d095fe02a53368fb9d3ea207f1082201afebd00076eb08bad082e71cf2ec66bc1bb45405278c91afdf8b6087b366540843c88cfcf80184c2e15b1504d

Download Submit
C:\Users\Public\BitTorrent\EvernoteMouseTray.exe

Filesize
2.0MB

MD5
2ff236ca982bc4fdd29586ab77c49fdd

SHA1
187b43ea891e01b6530d249b988c713d826c04e7

SHA256
9064ab3843cb154f46a2e4d9a5d0f2df9bedd1a684efaba8a6e94cb77070edf3

SHA512
c43f693d095fe02a53368fb9d3ea207f1082201afebd00076eb08bad082e71cf2ec66bc1bb45405278c91afdf8b6087b366540843c88cfcf80184c2e15b1504d

Download Submit
C:\Users\Public\BitTorrent\MSVCP100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Users\Public\BitTorrent\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Public\BitTorrent\donottrace.txt

Filesize
576KB

MD5
00e4d9349ca60fd4799472d8464f7c8d

SHA1
d96dff8a5d83166853245a731cd3c722be9cbf64

SHA256
31d785f49ef62d7c641126bd4568ea46bb03d85b97e99dbfc34b0b34df6ca51a

SHA512
f2ea397e16dab407057362787fcb0bc6610fc5060d1fa60630ec655f04d0131516bf3dc59179c0a2936c0a714fa99eb3fe27f4c754da3df445aa2e6e3775070d

Download Submit
C:\Users\Public\BitTorrent\mfc100u.dll

Filesize
4.2MB

MD5
f32077df74efd435a1dcdf415e189df1

SHA1
2771393d56ff167275bf03170377c43c28ee14e1

SHA256
24bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71

SHA512
fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850

Download Submit
C:\Users\Public\BitTorrent\mirage_cm.dll

Filesize
305KB

MD5
5d6c90d2cb177500f7b46f8c7caf6531

SHA1
4fc46eb0cf80073855580ec34b319fe361020379

SHA256
e512dc10ff8d33efe688c3214be608a40ecf4f1f7b4f9659ff6efc9a6827ee40

SHA512
eb35f337e0a6387d4bc47b6d9be241e4ea2c28936e3b4edc58448fc205b55c8171ec40399293b24e949fbb2a656918056e498b6dbedd6757c7bf2151862aa0d0

Download Submit
C:\Users\Public\BitTorrent\task.dat

Filesize
93B

MD5
c8887f9c30372f71e3d3d20276cb868b

SHA1
4e0b25e6144dba5da40b10b332a8fea3ff81f718

SHA256
7083b54c98c2b6dd3248192e73af17e6caebfe047ec16b8e6e33f3d28e20ed98

SHA512
1af47f493bf874a010bdf6927d1e691dbe7ff74ec43036977599ddd3d01e40c2df75112573c5c3666cc66f5e6125fef23c1ebe12473668d9014f79c52fdf5fa7

Download Submit
C:\Users\Public\BitTorrent\wrapcef.dll

Filesize
60KB

MD5
3b1d46c4eb061065a5bb32d4fbb86b79

SHA1
b04e3e18bee6dc6f298e2242c89041d16eb2d8bf

SHA256
4e56158a4c191bff82056902290346109c8354eb7e43ba7de8e127535eb09507

SHA512
d024ce1446086c0552d12f2bb117149821637cfaa887e4159a4fd94b0db4dee10126fc2c1577ef00e7efe89ee041b98f26c88996f4058b52300e4cff856af24d

Download Submit
\Users\Public\BitTorrent\EvernoteMouseTray.exe

Filesize
2.0MB

MD5
2ff236ca982bc4fdd29586ab77c49fdd

SHA1
187b43ea891e01b6530d249b988c713d826c04e7

SHA256
9064ab3843cb154f46a2e4d9a5d0f2df9bedd1a684efaba8a6e94cb77070edf3

SHA512
c43f693d095fe02a53368fb9d3ea207f1082201afebd00076eb08bad082e71cf2ec66bc1bb45405278c91afdf8b6087b366540843c88cfcf80184c2e15b1504d

Download Submit
\Users\Public\BitTorrent\mfc100u.dll

Filesize
4.2MB

MD5
f32077df74efd435a1dcdf415e189df1

SHA1
2771393d56ff167275bf03170377c43c28ee14e1

SHA256
24bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71

SHA512
fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850

Download Submit
\Users\Public\BitTorrent\mirage_cm.dll

Filesize
305KB

MD5
5d6c90d2cb177500f7b46f8c7caf6531

SHA1
4fc46eb0cf80073855580ec34b319fe361020379

SHA256
e512dc10ff8d33efe688c3214be608a40ecf4f1f7b4f9659ff6efc9a6827ee40

SHA512
eb35f337e0a6387d4bc47b6d9be241e4ea2c28936e3b4edc58448fc205b55c8171ec40399293b24e949fbb2a656918056e498b6dbedd6757c7bf2151862aa0d0

Download Submit
\Users\Public\BitTorrent\msvcp100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
\Users\Public\BitTorrent\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\Users\Public\BitTorrent\wrapcef.dll

Filesize
60KB

MD5
3b1d46c4eb061065a5bb32d4fbb86b79

SHA1
b04e3e18bee6dc6f298e2242c89041d16eb2d8bf

SHA256
4e56158a4c191bff82056902290346109c8354eb7e43ba7de8e127535eb09507

SHA512
d024ce1446086c0552d12f2bb117149821637cfaa887e4159a4fd94b0db4dee10126fc2c1577ef00e7efe89ee041b98f26c88996f4058b52300e4cff856af24d

Download Submit
memory/1156-39-0x00000000022D0000-0x0000000002366000-memory.dmp

Filesize
600KB

Download
memory/1156-40-0x00000000022D0000-0x0000000002366000-memory.dmp

Filesize
600KB

Download
memory/1156-42-0x0000000010000000-0x000000001007B000-memory.dmp

Filesize
492KB

Download
memory/1156-59-0x00000000022D0000-0x0000000002366000-memory.dmp

Filesize
600KB

Download