Overview

overview

10

Static

static

10

6aaf784991...a8.exe

windows7-x64

10

6aaf784991...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6aaf78499150daca0cffe6c6419c4199bae084b6008e0cdb20a1daadb68afda8.exe

  • Size

    141KB

  • MD5

    6d8d48afc3782a3007d0b40c0f2b9252

  • SHA1

    d33e622dd1e846c9fb4fa866ad126d6daa021fc4

  • SHA256

    6aaf78499150daca0cffe6c6419c4199bae084b6008e0cdb20a1daadb68afda8

  • SHA512

    76bc851202d0fb7b5640ae7a3598b478dbe907bcc77607e626caa3e8a1460563dd3db5a3e41d01c31c2f70beba610a715d8b03161464eb325a5f5087c2a95955

  • SSDEEP

    3072:PmkFSPOOECpVKTbp3WpnAzDhZFYYJOGS5XzZQ82pCi0z:9zTb+AvNYIq5DZQhoZ

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aaf78499150daca0cffe6c6419c4199bae084b6008e0cdb20a1daadb68afda8.exe
    "C:\Users\Admin\AppData\Local\Temp\6aaf78499150daca0cffe6c6419c4199bae084b6008e0cdb20a1daadb68afda8.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1928
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Uqrs\Aqrstuvwx.bmp
    Filesize

    11.2MB

    MD5

    0a34fcb01fe836d41d367e0fc15a9a40

    SHA1

    dd48694788f8b3586572a21f81ece421cf52b817

    SHA256

    d208480e53c25dbdf2c9e9f515bed445a01504a4e8d77295e79d3e68409c68de

    SHA512

    590521a572672bf317c8c6c8e26949bf1fd20ae94d72c3e22133d30938ec110cb8d856baef67a8cc88f61200f51dcb7f29856e57c00906aa6734c8f05486804c

    Download Submit

  • C:\Windows\Prefetch2365500.dll
    Filesize

    130KB

    MD5

    5f7dcf4b70048570003b6244dd2f6de1

    SHA1

    9fe23c43da8b0f225d6dd0682fc2c90deacf89ec

    SHA256

    4a54b6412b98fa5b5bb099131583f703a1f9e972f2df277d46da75ccf3ae790c

    SHA512

    1664867208e2627e9791dc3975c14b97d3aaa9cda4c72759296db5ee718d6a98f2acff7830263902be4481b3eddadbda8421fcecb4f6d70f75e47c0775d16a00

    Download Submit

  • C:\windows\Prefetch2365500.dll
    Filesize

    130KB

    MD5

    5f7dcf4b70048570003b6244dd2f6de1

    SHA1

    9fe23c43da8b0f225d6dd0682fc2c90deacf89ec

    SHA256

    4a54b6412b98fa5b5bb099131583f703a1f9e972f2df277d46da75ccf3ae790c

    SHA512

    1664867208e2627e9791dc3975c14b97d3aaa9cda4c72759296db5ee718d6a98f2acff7830263902be4481b3eddadbda8421fcecb4f6d70f75e47c0775d16a00

    Download Submit

  • \??\c:\Program Files\NT_Path.gif
    Filesize

    133B

    MD5

    f8d46d95e96a81be14a41f52024a7209

    SHA1

    183b52d8c39ef05320e419cc302430210232664a

    SHA256

    b655daa514a41875236be8a103b67d9902c42c96278350d6723ead5baaf3e388

    SHA512

    bf3858db99d229baa05b61d34ac4dc89ed93cacb9c3aa1e795e66a0dd4865b5b1f00d9a7b8b0fa56eda0657ed88eda6323a9f67eb29bce4d031e90356765fbd9

    Download Submit

  • \??\c:\program files (x86)\uqrs\aqrstuvwx.bmp
    Filesize

    11.2MB

    MD5

    0a34fcb01fe836d41d367e0fc15a9a40

    SHA1

    dd48694788f8b3586572a21f81ece421cf52b817

    SHA256

    d208480e53c25dbdf2c9e9f515bed445a01504a4e8d77295e79d3e68409c68de

    SHA512

    590521a572672bf317c8c6c8e26949bf1fd20ae94d72c3e22133d30938ec110cb8d856baef67a8cc88f61200f51dcb7f29856e57c00906aa6734c8f05486804c

    Download Submit