Overview

overview

10

Static

static

10

cb4c6e8e02...08.exe

windows7-x64

10

cb4c6e8e02...08.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    149s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe

  • Size

    146KB

  • MD5

    9d9ff31b49bbabbd33c529a166d83618

  • SHA1

    b0d97aa6647ee23af5f2bfebad02466ca70481fb

  • SHA256

    cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308

  • SHA512

    e2ae9698a8e91e4a3efbbc39e521d7b8195b5f6733d449929f44ee0d7728786333ade7ff82a7937a7b922dc4d9bbd883e12c50466b766151c172a30951d353b0

  • SSDEEP

    3072:IgEehZ6lngDMYUxHkq15yoY0f4S07tVaTqXuz1KJoZAo5LH5u:IgEehkHkmMoY0xoV00uz1PZAS

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe
    "C:\Users\Admin\AppData\Local\Temp\cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:852
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\windows\xinstall1384100.dll
    Filesize

    126KB

    MD5

    9ea83111253838ac029211df562cd717

    SHA1

    e1ef851cb46bb7423ac785f1d4846acc9684b2cb

    SHA256

    0efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f

    SHA512

    345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786

    Download Submit
  • \??\c:\NT_Path.jpg
    Filesize

    133B

    MD5

    cfd3c40aa85b9ea846ab7bdece99c5aa

    SHA1

    d3174e658d9bbddbe4bd62d802520691bb6e3635

    SHA256

    36bdcb617dddd47b98b3c03a1a73d3e743c5358ca35c5d897a7c32593d06178e

    SHA512

    87013fe7e146daa4cd6a5292e947c97686bcfdf50f59f24d85cb6562d0772013e617dd85cf94f808939064891f78d1cd8d93257173300b42b294ef6b39e5bfb0

    Download Submit
  • \??\c:\program files (x86)\agef\fpyesabfa.pic
    Filesize

    4.8MB

    MD5

    0df03e456dada914c5613dc5404b75a4

    SHA1

    89779022fec5397354f76942f94a9344ed8bc406

    SHA256

    50afcaf39cfe3e2e126e903cd81cd1b70a7e19210793c02de65c887d27f10e50

    SHA512

    c9be22ce32f519d210c6f4ccc2ee975fba84680e14c7413b3242ea2e4b2da8d45f3e7b2fd2a2739de3d5343ff50bf73cb5fdd0d920614a587a30a9cafe54a2d6

    Download Submit
  • \Program Files (x86)\Agef\Fpyesabfa.pic
    Filesize

    4.8MB

    MD5

    0df03e456dada914c5613dc5404b75a4

    SHA1

    89779022fec5397354f76942f94a9344ed8bc406

    SHA256

    50afcaf39cfe3e2e126e903cd81cd1b70a7e19210793c02de65c887d27f10e50

    SHA512

    c9be22ce32f519d210c6f4ccc2ee975fba84680e14c7413b3242ea2e4b2da8d45f3e7b2fd2a2739de3d5343ff50bf73cb5fdd0d920614a587a30a9cafe54a2d6

    Download Submit
  • memory/852-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
    Filesize

    8KB

    Download