Analysis

  • max time kernel
    192s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 16:53 UTC

General

  • Target

    a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe

  • Size

    144KB

  • MD5

    19e0e8ac9b12a73462419a205f63fe21

  • SHA1

    223b5e205b2794df4406a6f706408b2570f62477

  • SHA256

    a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9

  • SHA512

    8026e25f24eaa0f82f6e31b822ad571cb846eaaf8d885ebce45276470486b07b79eb1a7780db5ce6900525eea1c6548aad401cf65f9ca09aee3e7f509847c82d

  • SSDEEP

    3072:5VK1M+IRHl+BSVIKISNq+Ha29M9U5EGzGv48YfIqRDUcEuccxB:5sC+wHlCSQSNqea29M9Udk4wqRDCxc/

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
    "C:\Users\Admin\AppData\Local\Temp\a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4736
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:3080

Network

  • flag-us
    DNS
    15.89.54.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.89.54.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    IN PTR
    Response
  • 93.184.221.240:80
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 93.184.221.240:80
    260 B
    5
  • 96.16.53.137:80
    46 B
    40 B
    1
    1
  • 127.0.0.1:80
    imgsvc
  • 127.0.0.1:80
    imgsvc
  • 127.0.0.1:80
    imgsvc
  • 8.8.8.8:53
    15.89.54.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    15.89.54.20.in-addr.arpa

  • 8.8.8.8:53
    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
    dns
    118 B
    204 B
    1
    1

    DNS Request

    2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2091800.dll

    Filesize

    101KB

    MD5

    9a321afedb20299237990eab5f04438a

    SHA1

    cfa0ee092174d53d23b80d4c08f1b122958c50f1

    SHA256

    ea4c6fc4b5fe10c83af82d5104d5a9b8c528fd383cce4677c0d10c708732c3bb

    SHA512

    dd63b78f80897bd585721694f7392daa10550a66b0d3d71371f86aaebec948d09b23a5db8044b0d5c39a119b6cf5e28b77bd23af9f129da6693021673d2de23b

  • C:\2091800.dll

    Filesize

    101KB

    MD5

    9a321afedb20299237990eab5f04438a

    SHA1

    cfa0ee092174d53d23b80d4c08f1b122958c50f1

    SHA256

    ea4c6fc4b5fe10c83af82d5104d5a9b8c528fd383cce4677c0d10c708732c3bb

    SHA512

    dd63b78f80897bd585721694f7392daa10550a66b0d3d71371f86aaebec948d09b23a5db8044b0d5c39a119b6cf5e28b77bd23af9f129da6693021673d2de23b

  • C:\Program Files (x86)\Vlal\Waojxeqoi.gif

    Filesize

    12.1MB

    MD5

    e0fefecf94066d11db1436322daec48d

    SHA1

    027d6953fbe24bfa09234633a20c786be8453888

    SHA256

    9f03e7084ac0c8c51262598f9e21fa1ba6e0d78a0103b4035ea3401e10fff003

    SHA512

    abbf62005ceff8162173e601b70b1463558c005746961f04ad9989855637413fbde34d357464b15e9511b4ed9b17aefbc7e4f7d475dcc2416809880d2973d18a

  • \??\c:\NT_Path.jpg

    Filesize

    117B

    MD5

    c7de3d6c7ac8ec70bf0f53dd3a57d56d

    SHA1

    23d7baba1ad449cdd15ab4fc5eeeff7810c5ed81

    SHA256

    006ba4487ca0fb1e889b79870353147c793ca4fc81d80063b6f775b13ad4532c

    SHA512

    2858ddee8c28f6104532d0101d6ec6812a459ae0a60ae961e838b489fe71582027696f767144f53076c5c27a9347f300daf186a6c1813ab88f55824e8c4371b5

  • \??\c:\program files (x86)\vlal\waojxeqoi.gif

    Filesize

    12.1MB

    MD5

    e0fefecf94066d11db1436322daec48d

    SHA1

    027d6953fbe24bfa09234633a20c786be8453888

    SHA256

    9f03e7084ac0c8c51262598f9e21fa1ba6e0d78a0103b4035ea3401e10fff003

    SHA512

    abbf62005ceff8162173e601b70b1463558c005746961f04ad9989855637413fbde34d357464b15e9511b4ed9b17aefbc7e4f7d475dcc2416809880d2973d18a

  • memory/4736-132-0x0000000000530000-0x000000000055B000-memory.dmp

    Filesize

    172KB

  • memory/4736-133-0x0000000000400000-0x0000000000427000-memory.dmp

    Filesize

    156KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.