Overview

overview

10

Static

static

10

3a7a01542e...1a.dll

windows7-x64

10

3a7a01542e...1a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll

  • Size

    101KB

  • MD5

    f423bd59ca51af040094b88af5fb9152

  • SHA1

    cdcbd1d1d96acf939789c0376d0144ef30eef599

  • SHA256

    3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a

  • SHA512

    82a110eeaa45fc3bc7dc480f3e394685a57b6dca749837c7158879a13b57c255f7766a54b15b8ff02c69ed4375eda47c15ca9cfa9759837154cb505a7512d66b

  • SSDEEP

    3072:CwZSQpKa3VGVnpUlCz764/9xpEEBqbZuw45iG:JJVGpxx9b3wZuw44G

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a7a01542ef3e3a5a56c2a60694b3c37b6283b461f282247df5ec9748ffa981a.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\FileName.jpg
    Filesize

    15.6MB

    MD5

    3fd7fd3385e64bc170a095c2afa4eecd

    SHA1

    892e1432d9d2c98d30826bca3dade01ce0d911fc

    SHA256

    161a9b7b98516f01a4e45ca4c5857465c95b0548831b4002c08441d8d93819d7

    SHA512

    9da47037df5872905cf7052fda5a8187637383f0355053a096085ed10680d2d5abb559d24bd6d807dd1b510d9e260a536f1c14067c5ae1c4f4ad85de1ed06f5b

    Download Submit

  • \??\c:\windows\filename.jpg
    Filesize

    15.6MB

    MD5

    3fd7fd3385e64bc170a095c2afa4eecd

    SHA1

    892e1432d9d2c98d30826bca3dade01ce0d911fc

    SHA256

    161a9b7b98516f01a4e45ca4c5857465c95b0548831b4002c08441d8d93819d7

    SHA512

    9da47037df5872905cf7052fda5a8187637383f0355053a096085ed10680d2d5abb559d24bd6d807dd1b510d9e260a536f1c14067c5ae1c4f4ad85de1ed06f5b

    Download Submit