Overview

overview

10

Static

static

8

LetGo.exe

windows7-x64

6

LetGo.exe

windows10-2004-x64

10

NewRat.exe

windows7-x64

1

NewRat.exe

windows10-2004-x64

1

WEBserver.exe

windows7-x64

10

WEBserver.exe

windows10-2004-x64

10

g.exe

windows7-x64

1

g.exe

windows10-2004-x64

1

smss.exe

windows7-x64

1

smss.exe

windows10-2004-x64

1

svshost.exe

windows7-x64

10

svshost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    182s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 02:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    WEBserver.exe

  • Size

    89KB

  • MD5

    b89be3ac06d28a1d04b2b5b080db77b3

  • SHA1

    7d40d6884ac368d47af53c6f3a545b83c3f61d6e

  • SHA256

    85c95670c06936b8750bed1815715b4b42e797537a2ed1e1dd0cac881b79f1fb

  • SHA512

    d679ae6c2fef72cde43fafa6c35cfc787a541dbf82c194314246067653023de2a2e1325ba6d13610866a84c9f51983173bdd7cfbb2785a2c02adbb8f7dd4f5ae

  • SSDEEP

    1536:SdUVasm9gAHGsOqujkQINbte1EGZpqX5+Ic4FP9MsJLyqTOtEP0Boma1oHXDzt5a:S2gsmbHGhqCkQINRiUsIPZLJh90vbXDS

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WEBserver.exe
    "C:\Users\Admin\AppData\Local\Temp\WEBserver.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1440
  • C:\Windows\xcvzci.exe
    C:\Windows\xcvzci.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1924

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\xcvzci.exe
          Filesize

          89KB

          MD5

          b89be3ac06d28a1d04b2b5b080db77b3

          SHA1

          7d40d6884ac368d47af53c6f3a545b83c3f61d6e

          SHA256

          85c95670c06936b8750bed1815715b4b42e797537a2ed1e1dd0cac881b79f1fb

          SHA512

          d679ae6c2fef72cde43fafa6c35cfc787a541dbf82c194314246067653023de2a2e1325ba6d13610866a84c9f51983173bdd7cfbb2785a2c02adbb8f7dd4f5ae

          Download Submit

        • C:\Windows\xcvzci.exe
          Filesize

          89KB

          MD5

          b89be3ac06d28a1d04b2b5b080db77b3

          SHA1

          7d40d6884ac368d47af53c6f3a545b83c3f61d6e

          SHA256

          85c95670c06936b8750bed1815715b4b42e797537a2ed1e1dd0cac881b79f1fb

          SHA512

          d679ae6c2fef72cde43fafa6c35cfc787a541dbf82c194314246067653023de2a2e1325ba6d13610866a84c9f51983173bdd7cfbb2785a2c02adbb8f7dd4f5ae

          Download Submit

        • memory/1440-132-0x0000000010000000-0x0000000010036000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-134-0x0000000010000000-0x0000000010036000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-135-0x0000000010000000-0x0000000010036000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1440-136-0x0000000010000000-0x0000000010036000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1924-139-0x0000000010000000-0x0000000010036000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1924-142-0x0000000010000000-0x0000000010036000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1924-141-0x0000000010000000-0x0000000010036000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1924-143-0x0000000010000000-0x0000000010036000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1924-144-0x0000000010000000-0x0000000010036000-memory.dmp

          Filesize

          216KB

          Download