Overview

overview

10

Static

static

10

16c48f8bc3...ba.exe

windows7-x64

10

16c48f8bc3...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe

  • Size

    146KB

  • MD5

    1aa6c0f4e9869aead8511af2c54457cd

  • SHA1

    14244d08470d18da13ec13dbbf00eeadf895638c

  • SHA256

    16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba

  • SHA512

    dff8a6dfda35a8cfed35e0cda10737c7c6eceb7e52d68285c4f0bfe65b6af563c236e3a07b3f87a3b41c4179e8dc37d85f7c1644e0d0540d91bd5323fd0f84ec

  • SSDEEP

    3072:NgEehZ6lngDMYUxHkq15yoY0f4S07tVaTqXuz1KJoZAo5LH5u:NgEehkHkmMoY0xoV00uz1PZAS

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe
    "C:\Users\Admin\AppData\Local\Temp\16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1396
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\windows\xinstall1072400.dll
    Filesize

    126KB

    MD5

    9ea83111253838ac029211df562cd717

    SHA1

    e1ef851cb46bb7423ac785f1d4846acc9684b2cb

    SHA256

    0efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f

    SHA512

    345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786

    Download Submit
  • \??\c:\NT_Path.jpg
    Filesize

    133B

    MD5

    6d40b2ec8e2aca4cec566b07a13ef1bb

    SHA1

    a3e487cd1cca1354d56a0e305b234852092cf244

    SHA256

    eed8e68ab36d4b8925ee1fe31b42a974c67985ec0d4952558a21dc8149764394

    SHA512

    74cb40f1c20b6e0ed3ad113b5b5e7373501f24bf9e1d15f4f76943b014afb630cc670984928efad0509622e3bacca0bc8f56bf2b8ebfd0337ba32f23f6fef4ab

    Download Submit
  • \??\c:\program files (x86)\agef\fpyesabfa.pic
    Filesize

    13.6MB

    MD5

    c53323d9e82f121913847b630ecb0515

    SHA1

    e1450f4efb499f9ece7549b3c01a35c0908081af

    SHA256

    7c4ab3d8682907773b8a5887f24cbc50824466a3771299d4b46b3772b8ea508c

    SHA512

    a705e497cb1d3aea92cbf2d3aad7e92fbc3183c7f7b2f34feb8d7f34d80b73333f9b98b63ec9f881776623e48ab8c4e578cce7d096862a618d79e8c207513fee

    Download Submit
  • \Program Files (x86)\Agef\Fpyesabfa.pic
    Filesize

    13.6MB

    MD5

    c53323d9e82f121913847b630ecb0515

    SHA1

    e1450f4efb499f9ece7549b3c01a35c0908081af

    SHA256

    7c4ab3d8682907773b8a5887f24cbc50824466a3771299d4b46b3772b8ea508c

    SHA512

    a705e497cb1d3aea92cbf2d3aad7e92fbc3183c7f7b2f34feb8d7f34d80b73333f9b98b63ec9f881776623e48ab8c4e578cce7d096862a618d79e8c207513fee

    Download Submit
  • memory/1396-54-0x00000000760E1000-0x00000000760E3000-memory.dmp
    Filesize

    8KB

    Download