Overview

overview

10

Static

static

10

db2ecedeb3...38.exe

windows7-x64

10

db2ecedeb3...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db2ecedeb37faf0bf8525bd5307d0de582ff3c791035e18661776629a69d1b38.exe

  • Size

    71KB

  • MD5

    43b7c75056a735a9dcaf2ed9d6ba508d

  • SHA1

    e01259c3f3e279a2c1568c1bff9929681dea0398

  • SHA256

    db2ecedeb37faf0bf8525bd5307d0de582ff3c791035e18661776629a69d1b38

  • SHA512

    91f53cd7989d1deebe9d00897f2aaeb74b1ab4be36c8a6d96039ffaa750a623ef6e237a55581c0a3bb1bae2688e4d4b5aa44cd0a63f6dad8d1814f6039b30830

  • SSDEEP

    1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uiryQ5e:+pZTvnyEZiGJ7/QguiryQ5e

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db2ecedeb37faf0bf8525bd5307d0de582ff3c791035e18661776629a69d1b38.exe
    "C:\Users\Admin\AppData\Local\Temp\db2ecedeb37faf0bf8525bd5307d0de582ff3c791035e18661776629a69d1b38.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1976
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Suspicious behavior: EnumeratesProcesses
    PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2401800.dll
    Filesize

    64KB

    MD5

    7d8a10887b367b24a8b1ba68230b5ac3

    SHA1

    bc117aa0cf4eff940f3376580e7bc665994ddce7

    SHA256

    79df355092a19ead49965c8b7b896b563a817bfa30b94a726bc54f479747e38e

    SHA512

    c3b4833b98a5ff05e0cd73494b432ffc1c31b0f9f91563b32300570d25d998871815c94d82f46e297f62cc00792aadb57a053f7ad68b74d47a3eaf398d67b709

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    117B

    MD5

    03b7b340192bad661525a1395d03c1e9

    SHA1

    bc35c4859df7f8d0d9f75a5b44fc5645db91e09e

    SHA256

    f5511130f3de0fbcd2b6088acc06a63ac580eb88e464c479b69c8ba1d9656d38

    SHA512

    577dd0369d3c73dfef9441c1140c31ee7a0cf22116c60a9c155a8c14d83dd9662944351c02b8a3c189c75d1ad04bd9443cbc5baa70e3a5ce30ae2d712fa09bce

    Download Submit

  • \??\c:\windows\filename.jpg
    Filesize

    5.0MB

    MD5

    bd4d39eac5c0c0735b232ff6789f5cd6

    SHA1

    8bff2952003fcb227e9ce56f9a75800032979b2a

    SHA256

    19d8062eaeda766d10a46da5718c947d587f5c871e3061d1aefd40d7ec9e4b4f

    SHA512

    2b6296569de39e35b8427a6fe5724c904a71f92dfb599ca326e89529309e95af7e79278a6904456eac2c3a0d0eec9fc3ba8c048b963bec9295f3d8498bec7d33

    Download Submit

  • memory/1976-54-0x0000000075831000-0x0000000075833000-memory.dmp

    Filesize

    8KB

    Download