Overview

overview

10

Static

static

10

fcf4ee2868...c6.exe

windows7-x64

4

fcf4ee2868...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2022 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcf4ee2868a0f2607a0998fcefc2741285c3d6aa41172b1dfd4e0a014c0bf7c6.exe

  • Size

    146KB

  • MD5

    c48f2e2aee9a14a1811f8d19d6b0b879

  • SHA1

    95f6695525c628ed4cdfce0c516a9897c65234ee

  • SHA256

    fcf4ee2868a0f2607a0998fcefc2741285c3d6aa41172b1dfd4e0a014c0bf7c6

  • SHA512

    e98573d9362b9c51b14f408e1d9e15a381cc716cfea4233d6c65d2920df61160a2a7c93ea200e091059c550b3d7ceddb1be9fbc910a12bbf0c373dbc0a2ea632

  • SSDEEP

    3072:ggEehZ6lngDMYUxHkq15yoY0f4S07tVaTqXuz1KJoZAo5LH5u:ggEehkHkmMoY0xoV00uz1PZAS

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcf4ee2868a0f2607a0998fcefc2741285c3d6aa41172b1dfd4e0a014c0bf7c6.exe
    "C:\Users\Admin\AppData\Local\Temp\fcf4ee2868a0f2607a0998fcefc2741285c3d6aa41172b1dfd4e0a014c0bf7c6.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1360
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:3964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Agef\Fpyesabfa.pic
    Filesize

    14.1MB

    MD5

    34d8f3670ef22103a0a1ab99e1a1bf79

    SHA1

    b9ad2086b818266f1a1e62cab8688db95f395d3f

    SHA256

    30fd06cb57c45d683c35f08c672100f97f283d4be6d36338c98b0f8de307fa06

    SHA512

    6da8e587089923a32a8626ae60d65ba04aa2be10ce9cf6d0e1b977dacc44b48172bcaa747d355f6b3e690a571540dfefffd015a1c18263752d1f07b590ebcc87

    Download Submit
  • C:\Windows\xinstall9100.dll
    Filesize

    126KB

    MD5

    9ea83111253838ac029211df562cd717

    SHA1

    e1ef851cb46bb7423ac785f1d4846acc9684b2cb

    SHA256

    0efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f

    SHA512

    345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786

    Download Submit
  • C:\windows\xinstall9100.dll
    Filesize

    126KB

    MD5

    9ea83111253838ac029211df562cd717

    SHA1

    e1ef851cb46bb7423ac785f1d4846acc9684b2cb

    SHA256

    0efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f

    SHA512

    345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786

    Download Submit
  • \??\c:\NT_Path.jpg
    Filesize

    130B

    MD5

    12b5865b7b471ee9c8a532f1780ef9ca

    SHA1

    19737c20166aa44be2ac0736fea869a445310ccb

    SHA256

    e3b02139213794aeac88d647d1c62991c84d888d30f42fd7674be6e712baa36e

    SHA512

    f950b36f6b8020ce54d44e0f0cca3999f853c6acfb665496b923752358155e485725ed763e371b2ecdc49c7b17066349e8d892c179a3bb259d00491c1dfeab14

    Download Submit
  • \??\c:\program files (x86)\agef\fpyesabfa.pic
    Filesize

    14.1MB

    MD5

    34d8f3670ef22103a0a1ab99e1a1bf79

    SHA1

    b9ad2086b818266f1a1e62cab8688db95f395d3f

    SHA256

    30fd06cb57c45d683c35f08c672100f97f283d4be6d36338c98b0f8de307fa06

    SHA512

    6da8e587089923a32a8626ae60d65ba04aa2be10ce9cf6d0e1b977dacc44b48172bcaa747d355f6b3e690a571540dfefffd015a1c18263752d1f07b590ebcc87

    Download Submit