Overview

overview

10

Static

static

10

576b722806...da.exe

windows7-x64

10

576b722806...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    576b7228060f83db6e520e306cb31146a382cf4d3a980a59c4a68c8aefc0b8da.exe

  • Size

    164KB

  • MD5

    27cec1668216473595fee2f28bd45a70

  • SHA1

    955f96f7e0b289f37afab359504505a84f75bb45

  • SHA256

    576b7228060f83db6e520e306cb31146a382cf4d3a980a59c4a68c8aefc0b8da

  • SHA512

    d0e1b022c800598d7680c645927e1eb5621a1356b5697b8824a27f1babca2a48d295906738322f9edf45851f1b4f2bdf4b0771eefb5167460e13b8048c5cabbc

  • SSDEEP

    3072:brpO1VLtIpDmLx8nvbeJXTGoxQpyTDm8PSkNLNs+9+J34:br4LS6ObyX6StTSsSkdE3

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\576b7228060f83db6e520e306cb31146a382cf4d3a980a59c4a68c8aefc0b8da.exe
    "C:\Users\Admin\AppData\Local\Temp\576b7228060f83db6e520e306cb31146a382cf4d3a980a59c4a68c8aefc0b8da.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ksafetray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\windows\Prefetch997100.dll
    Filesize

    140KB

    MD5

    40a3677554943b82483bb666f0f38c9e

    SHA1

    948bd00e70aec3f266e5241fb37e3bef4cfaa992

    SHA256

    c9dd61eff58c55517f886b25fb161784b4430756b46a5794751f92018cdc4e8f

    SHA512

    d8ebada743f688c6962bfdcdf181122ea3811a765360665bce6cb403a74e0c0a679fb31f203aeb68609f1b01592b483ed1a30b37718f6412c7872af0cecb3d8e

    Download Submit
  • \??\c:\Program Files\NT_Path.gif
    Filesize

    132B

    MD5

    cd9edd5e13b8add22140004663a270e6

    SHA1

    33b208c3a2c0a85e045ea5c265b12927b16f0d81

    SHA256

    d3a23765d32a661687c13a6317932eaeb9507f043ece2f0799bcc08479439d9f

    SHA512

    1298aeb9301ccd97e693c2c89a59653f8e4c6b5e4f7cbdba22398e9e4255c53491a13f13c5660cb17b696b3d8474f6a0136eb3498d28ff8325b1037070fb8421

    Download Submit
  • \??\c:\program files (x86)\common files\centerv.gzip
    Filesize

    1.9MB

    MD5

    2b6a2d0867ad7b034b8fac976ceedb01

    SHA1

    73fb4ffe14b615a2df6a32410d93739c7baf7572

    SHA256

    40ae16d0dd246574d8b7620b8143caef31cbe90d284e6a1e2e5da0a7652719f7

    SHA512

    0288fe7bb9e5096a6d33a64ee23efcf82ac633611d74eca0bb4ae313fabf4165dd384b5d3d392cfa726a6b576e056b81dcc7b8111edd135a22046346e02fb926

    Download Submit
  • \Program Files (x86)\Common Files\Centerv.gzip
    Filesize

    1.9MB

    MD5

    2b6a2d0867ad7b034b8fac976ceedb01

    SHA1

    73fb4ffe14b615a2df6a32410d93739c7baf7572

    SHA256

    40ae16d0dd246574d8b7620b8143caef31cbe90d284e6a1e2e5da0a7652719f7

    SHA512

    0288fe7bb9e5096a6d33a64ee23efcf82ac633611d74eca0bb4ae313fabf4165dd384b5d3d392cfa726a6b576e056b81dcc7b8111edd135a22046346e02fb926

    Download Submit
  • memory/1152-63-0x0000000010000000-0x0000000010025000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1152-65-0x0000000010000000-0x0000000010025000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1204-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1348-54-0x0000000075601000-0x0000000075603000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1348-62-0x0000000010000000-0x0000000010025000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1348-64-0x0000000010000000-0x0000000010025000-memory.dmp
    Filesize

    148KB

    Download