Overview

overview

10

Static

static

8

fe309f1274...55.exe

windows7-x64

10

fe309f1274...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02/12/2022, 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe309f1274044a5199ef58465f6331fdb76c6d6522643987fd30abbcbe518c55.exe

  • Size

    186KB

  • MD5

    bef247b87ded3ca5235b5167274b3e38

  • SHA1

    49bcdc33993d9716947f3d690f18c4a4eaba65af

  • SHA256

    fe309f1274044a5199ef58465f6331fdb76c6d6522643987fd30abbcbe518c55

  • SHA512

    bd8849db435710046149808e8f04d2917cc33b72c017cd80d3f1cb85233c10b24bf67e2645ea853961e275762c790375db8be064095b77cda1f5d3b6cd0aaac3

  • SSDEEP

    3072:DHoxMfZ7kmP3n5XSoz/t1UFC6Dhh9cOQsKWTShRwwa2cx8m7Stw8iAgu:DHox4X5hR1UB3Q8TShRwwcv2ysR

Score
10/10
gh0stratpersistenceratupx

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe309f1274044a5199ef58465f6331fdb76c6d6522643987fd30abbcbe518c55.exe
    "C:\Users\Admin\AppData\Local\Temp\fe309f1274044a5199ef58465f6331fdb76c6d6522643987fd30abbcbe518c55.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    PID:956
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k svchost
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1344

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\userdata.dll
    Filesize

    123KB

    MD5

    e5e9cba0b7e45f5d5dff20d16fbe7c0e

    SHA1

    f312f8e2f5d87f78e7cdef0995b4abb702ca8964

    SHA256

    130c5ad87ca3cc8cccdbc57425f1ab78aeb7be63e9de7f2d0a830e7e21128144

    SHA512

    3a161fecbf65d674d05cc88e0056f69bea313019c45c9c4eb5b734a0550df4cd4a47f78cc5b106590b644d75926365db4529c78ac50693a69c8f4d5d4ddfcccd

    Download Submit

  • \Windows\SysWOW64\UserData.dll
    Filesize

    123KB

    MD5

    e5e9cba0b7e45f5d5dff20d16fbe7c0e

    SHA1

    f312f8e2f5d87f78e7cdef0995b4abb702ca8964

    SHA256

    130c5ad87ca3cc8cccdbc57425f1ab78aeb7be63e9de7f2d0a830e7e21128144

    SHA512

    3a161fecbf65d674d05cc88e0056f69bea313019c45c9c4eb5b734a0550df4cd4a47f78cc5b106590b644d75926365db4529c78ac50693a69c8f4d5d4ddfcccd

    Download Submit

  • memory/956-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/956-55-0x0000000000400000-0x000000000051B000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1344-59-0x0000000010000000-0x0000000010021000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1344-60-0x0000000010000000-0x0000000010021000-memory.dmp

    Filesize

    132KB

    Download