Overview

overview

10

Static

static

10

15220cac65...2c.exe

windows7-x64

10

15220cac65...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe

  • Size

    311KB

  • MD5

    905c3211af0112154c98baa8bde3af2b

  • SHA1

    5848b87f2f4ac6c154234584ed813377bbd5899b

  • SHA256

    15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c

  • SHA512

    fb1f38313c89e08a332dafcc6a73989abfc44807c2f5a64c11b1b7f0583ca4c4320855efa458790015caf0f9d898b06d6deff73dbd2c5689db06760e86634648

  • SSDEEP

    6144:OWT1Ic+fciN3xjXoxrjxvcOMjuaMSiQ+EeEXMwQe8zLZ44Hpx14hxH:H1IZUEj0BOjqdLEeEVh8HZBp8h5

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe
    "C:\Users\Admin\AppData\Local\Temp\15220cac65f86e2639f8be97b5108324d4595b14670fea58ddf4308de92d482c.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2000
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k svchost
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:988

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\program files\userdata.dll
    Filesize

    123KB

    MD5

    b0e5f3c53d9bffa35d96529fb8d3fe17

    SHA1

    96373e27c2742cb15d7f52ad3ba03d3a24319e52

    SHA256

    245c5b2da68269e5c8f67c2b931ee1e0dade9c57df7652ffa618121ce3093a4c

    SHA512

    0dd18e6a666307ce637bf90b60167eb3761d26f9e72a58bb199f8ecf9b7500ced12f21a8a06ccb8658c332a9c0f544d06d999e62f08c20cef112383a68c72dc2

    Download Submit

  • \Program Files\UserData.dll
    Filesize

    123KB

    MD5

    b0e5f3c53d9bffa35d96529fb8d3fe17

    SHA1

    96373e27c2742cb15d7f52ad3ba03d3a24319e52

    SHA256

    245c5b2da68269e5c8f67c2b931ee1e0dade9c57df7652ffa618121ce3093a4c

    SHA512

    0dd18e6a666307ce637bf90b60167eb3761d26f9e72a58bb199f8ecf9b7500ced12f21a8a06ccb8658c332a9c0f544d06d999e62f08c20cef112383a68c72dc2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\gak33C.tmp
    Filesize

    172KB

    MD5

    685f1cbd4af30a1d0c25f252d399a666

    SHA1

    6a1b978f5e6150b88c8634146f1406ed97d2f134

    SHA256

    0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

    SHA512

    6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

    Download Submit

  • memory/988-62-0x0000000010000000-0x0000000010021000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2000-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2000-56-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2000-57-0x0000000000430000-0x00000000004A3000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2000-58-0x0000000000430000-0x00000000004A3000-memory.dmp

    Filesize

    460KB

    Download