Overview

overview

10

Static

static

10

16c48f8bc3...ba.exe

windows7-x64

10

16c48f8bc3...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe

  • Size

    146KB

  • MD5

    1aa6c0f4e9869aead8511af2c54457cd

  • SHA1

    14244d08470d18da13ec13dbbf00eeadf895638c

  • SHA256

    16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba

  • SHA512

    dff8a6dfda35a8cfed35e0cda10737c7c6eceb7e52d68285c4f0bfe65b6af563c236e3a07b3f87a3b41c4179e8dc37d85f7c1644e0d0540d91bd5323fd0f84ec

  • SSDEEP

    3072:NgEehZ6lngDMYUxHkq15yoY0f4S07tVaTqXuz1KJoZAo5LH5u:NgEehkHkmMoY0xoV00uz1PZAS

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe
    "C:\Users\Admin\AppData\Local\Temp\16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:632
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:3752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Agef\Fpyesabfa.pic
    Filesize

    988KB

    MD5

    f28d2ea754a888e9da33ff7552bd0045

    SHA1

    52fd86dba37dc86e4d377ed823b317f8f5205d7a

    SHA256

    6f4552e87852f6fd92eb5d8680c06574f0aa499b4f79395952efd41e0282e20e

    SHA512

    5803f562493c913e4a7fd627d857e48c4a977ab318ce97922b79162cdbab649bd31c6bc0c2ef0351409403f8181608b40a75462f7ba2b09aa2910b5aeb56e31c

    Download Submit
  • C:\Windows\xinstall1943000.dll
    Filesize

    126KB

    MD5

    9ea83111253838ac029211df562cd717

    SHA1

    e1ef851cb46bb7423ac785f1d4846acc9684b2cb

    SHA256

    0efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f

    SHA512

    345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786

    Download Submit
  • C:\windows\xinstall1943000.dll
    Filesize

    126KB

    MD5

    9ea83111253838ac029211df562cd717

    SHA1

    e1ef851cb46bb7423ac785f1d4846acc9684b2cb

    SHA256

    0efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f

    SHA512

    345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786

    Download Submit
  • \??\c:\NT_Path.jpg
    Filesize

    133B

    MD5

    5b41d460d9e5a48aa5a09655042a4426

    SHA1

    ad499e9706916c525bd7724ade634f55872a900b

    SHA256

    ab710f901e3c7106e82ad9d7405b00656ffc08156940cf2a0e7c915a8027938c

    SHA512

    fcaaa59970f9560351b25a28d598a18b3aeb77322d7b670123352acfa0de4675f5b4d6d9cb3d649e3073d8880aa701c1fe8c3c084d5af29137594ffb07f66951

    Download Submit
  • \??\c:\program files (x86)\agef\fpyesabfa.pic
    Filesize

    988KB

    MD5

    f28d2ea754a888e9da33ff7552bd0045

    SHA1

    52fd86dba37dc86e4d377ed823b317f8f5205d7a

    SHA256

    6f4552e87852f6fd92eb5d8680c06574f0aa499b4f79395952efd41e0282e20e

    SHA512

    5803f562493c913e4a7fd627d857e48c4a977ab318ce97922b79162cdbab649bd31c6bc0c2ef0351409403f8181608b40a75462f7ba2b09aa2910b5aeb56e31c

    Download Submit