Overview

overview

10

Static

static

f6be8da723...6a.exe

windows7-x64

10

f6be8da723...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6be8da723f175ac7839c2dcddb240e680ecffa9075126219fecb865e3093b6a.exe

  • Size

    85KB

  • MD5

    0a97c8e8c4e5f3bef5fcd3f517f89990

  • SHA1

    1ffe3d0cd81eeb58d30fbd382b662101c7ad7ab1

  • SHA256

    f6be8da723f175ac7839c2dcddb240e680ecffa9075126219fecb865e3093b6a

  • SHA512

    7e7f8fba1c873ede556bea8d94d08aee6068677c87028493cb510cd26814c41a1033cb25ea2550703af6c7962d3864113d6706b313575c28da10acd758f02d42

  • SSDEEP

    1536:cMjxvOfCX+mx3snxniC/o6AHjRnNBQQJeNB1/8bGx8mszdc9Ufm1qE3K7j:cMkhm5spm6o9Ret/8auNhE2mdEj

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6be8da723f175ac7839c2dcddb240e680ecffa9075126219fecb865e3093b6a.exe
    "C:\Users\Admin\AppData\Local\Temp\f6be8da723f175ac7839c2dcddb240e680ecffa9075126219fecb865e3093b6a.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3116
  • C:\Windows\nsztsq.exe
    C:\Windows\nsztsq.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\nsztsq.exe
    Filesize

    85KB

    MD5

    0a97c8e8c4e5f3bef5fcd3f517f89990

    SHA1

    1ffe3d0cd81eeb58d30fbd382b662101c7ad7ab1

    SHA256

    f6be8da723f175ac7839c2dcddb240e680ecffa9075126219fecb865e3093b6a

    SHA512

    7e7f8fba1c873ede556bea8d94d08aee6068677c87028493cb510cd26814c41a1033cb25ea2550703af6c7962d3864113d6706b313575c28da10acd758f02d42

    Download Submit

  • C:\Windows\nsztsq.exe
    Filesize

    85KB

    MD5

    0a97c8e8c4e5f3bef5fcd3f517f89990

    SHA1

    1ffe3d0cd81eeb58d30fbd382b662101c7ad7ab1

    SHA256

    f6be8da723f175ac7839c2dcddb240e680ecffa9075126219fecb865e3093b6a

    SHA512

    7e7f8fba1c873ede556bea8d94d08aee6068677c87028493cb510cd26814c41a1033cb25ea2550703af6c7962d3864113d6706b313575c28da10acd758f02d42

    Download Submit

  • memory/3068-138-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3068-140-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3068-141-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3068-143-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3068-144-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3116-132-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3116-134-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3116-135-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3116-142-0x0000000010000000-0x0000000010034000-memory.dmp

    Filesize

    208KB

    Download