Overview

overview

10

Static

static

10

d9e8168745...bc.exe

windows7-x64

10

d9e8168745...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9e816874564dd4f0b9d75e2041763f99bbfe197ce626fd5cd7d9c2d86f167bc.exe

  • Size

    3.0MB

  • MD5

    5cafb737f1daf9217e0ca94abd543ff8

  • SHA1

    25342d22ffb9659814f6d20548322c107ef0c972

  • SHA256

    d9e816874564dd4f0b9d75e2041763f99bbfe197ce626fd5cd7d9c2d86f167bc

  • SHA512

    1b3e014859fbb83d3de2b8abde5714ee5a51683a36e4e3c10c5813c9a88bed8a97e41f7088eba0267a5394138992527e4ea7a0b3f56dd823079ae45a9ee208d6

  • SSDEEP

    49152:zce7Idjnv3xj0OELL2Ek0cEmef2LdCq/jPaUzbW:4GIdjv3xjz6L2V0cEm2qjPFW

Score
10/10
gh0stratratvmprotect

Malware Config

Signatures

  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: LoadsDriver 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9e816874564dd4f0b9d75e2041763f99bbfe197ce626fd5cd7d9c2d86f167bc.exe
    "C:\Users\Admin\AppData\Local\Temp\d9e816874564dd4f0b9d75e2041763f99bbfe197ce626fd5cd7d9c2d86f167bc.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\WINDOWS\system32:superec.exe
      C:\WINDOWS\system32:superec.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2188
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:3804
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3f8 0x414
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2585000.dll
    Filesize

    101KB

    MD5

    37e054540070bf02adb14401aa162f32

    SHA1

    a6209c13d28d904ce331dc1a0d55449d8909e062

    SHA256

    81ba61ba284f721c68d718eb3382cc74ed1dbf98266d587cc0429415b9017d81

    SHA512

    90bfbb43d74b21d4d44a910069d54bc4fd45beb8da775521eff27ea65e101833ab8e2e27f54847297d399a2fff8adff890b9107d39a45cbb20187ed00cbd3718

    Download Submit
  • C:\2585000.dll
    Filesize

    101KB

    MD5

    37e054540070bf02adb14401aa162f32

    SHA1

    a6209c13d28d904ce331dc1a0d55449d8909e062

    SHA256

    81ba61ba284f721c68d718eb3382cc74ed1dbf98266d587cc0429415b9017d81

    SHA512

    90bfbb43d74b21d4d44a910069d54bc4fd45beb8da775521eff27ea65e101833ab8e2e27f54847297d399a2fff8adff890b9107d39a45cbb20187ed00cbd3718

    Download Submit
  • C:\Program Files (x86)\Tsar\Bkhbkeimy.pic
    Filesize

    16.8MB

    MD5

    84033c3c5a574cf294b26ef20cda95ac

    SHA1

    0f73bcff2a9487b3b24a9c11c95f614314062b67

    SHA256

    2f44b621e9616f0713833bfab2a988fc558f254a44d00f5656b30dd2976d1abc

    SHA512

    338358633994efa1be91c4d36a78fbf7d7f4297f6b77fbf9f2b6aca0fa56aa091014c50b09400f15387b1b21383c0fcf1f5e55ca0cb4a3f57953f18fcce489be

    Download Submit
  • C:\Windows\System32:superec.exe
    Filesize

    134KB

    MD5

    82e782d9cc8bb53e067fe19a21c5e120

    SHA1

    c96e451e491314eb06ba68ce5f840b74e1cac098

    SHA256

    94c8e39c673a27f02f7ce1cc0d68caeb19b39b8f10bccfc993d0944a5a52eb28

    SHA512

    eb89ee8d7e89329f47ea30e2a221a680612e8875dcc63ee11ae4150430964633643d1982c7f07348ffca6aaa5b472e3f899160b52592b9dbd2b285eb1096264c

    Download Submit
  • C:\Windows\system32\
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \??\c:\NT_Path.jpg
    Filesize

    46B

    MD5

    0700eb1765d5d597281268561a75372f

    SHA1

    e6a01c86374b1c89bdd31ea6a72ce02f695c296a

    SHA256

    557c679d5520aa4e2c01cd66f9bba2591ee27de48dd691eb58d8e8ea547896dd

    SHA512

    205e89801f4d0b709a95f250659309932cb813b41507604b5bed2820cdf9061c0f70cbe6e9093ffc8e0fca41796c6a6836e1f86226d1369e3b89c6bdfa63c84d

    Download Submit
  • \??\c:\program files (x86)\tsar\bkhbkeimy.pic
    Filesize

    16.8MB

    MD5

    84033c3c5a574cf294b26ef20cda95ac

    SHA1

    0f73bcff2a9487b3b24a9c11c95f614314062b67

    SHA256

    2f44b621e9616f0713833bfab2a988fc558f254a44d00f5656b30dd2976d1abc

    SHA512

    338358633994efa1be91c4d36a78fbf7d7f4297f6b77fbf9f2b6aca0fa56aa091014c50b09400f15387b1b21383c0fcf1f5e55ca0cb4a3f57953f18fcce489be

    Download Submit
  • memory/540-132-0x0000000000400000-0x0000000000731000-memory.dmp
    Filesize

    3.2MB

    Download
  • memory/540-133-0x0000000000400000-0x0000000000731000-memory.dmp
    Filesize

    3.2MB

    Download
  • memory/2188-134-0x0000000000000000-mapping.dmp
    Download