Overview

overview

10

Static

static

10

576b722806...da.exe

windows7-x64

10

576b722806...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2022 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    576b7228060f83db6e520e306cb31146a382cf4d3a980a59c4a68c8aefc0b8da.exe

  • Size

    164KB

  • MD5

    27cec1668216473595fee2f28bd45a70

  • SHA1

    955f96f7e0b289f37afab359504505a84f75bb45

  • SHA256

    576b7228060f83db6e520e306cb31146a382cf4d3a980a59c4a68c8aefc0b8da

  • SHA512

    d0e1b022c800598d7680c645927e1eb5621a1356b5697b8824a27f1babca2a48d295906738322f9edf45851f1b4f2bdf4b0771eefb5167460e13b8048c5cabbc

  • SSDEEP

    3072:brpO1VLtIpDmLx8nvbeJXTGoxQpyTDm8PSkNLNs+9+J34:br4LS6ObyX6StTSsSkdE3

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\576b7228060f83db6e520e306cb31146a382cf4d3a980a59c4a68c8aefc0b8da.exe
    "C:\Users\Admin\AppData\Local\Temp\576b7228060f83db6e520e306cb31146a382cf4d3a980a59c4a68c8aefc0b8da.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Ksafetray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Centerv.gzip
    Filesize

    10.5MB

    MD5

    f1b04b0188d33b293b322429290585b8

    SHA1

    ac8af647e07d0389a9b8c17e223d18cfc7577319

    SHA256

    d7cb2021e6084c18e876da454ce8baeea83c867940668e2d2f6f2837609a3d6c

    SHA512

    5c8d262d70fb571186bdd0a22f63db8028846b8b99b0f1736466b881fdbb9a7ea299ab4930088a80d99bcf7ced23c09397211339ba812ffb75dac42932da8fef

    Download Submit
  • C:\Windows\Prefetch2085700.dll
    Filesize

    140KB

    MD5

    40a3677554943b82483bb666f0f38c9e

    SHA1

    948bd00e70aec3f266e5241fb37e3bef4cfaa992

    SHA256

    c9dd61eff58c55517f886b25fb161784b4430756b46a5794751f92018cdc4e8f

    SHA512

    d8ebada743f688c6962bfdcdf181122ea3811a765360665bce6cb403a74e0c0a679fb31f203aeb68609f1b01592b483ed1a30b37718f6412c7872af0cecb3d8e

    Download Submit
  • C:\windows\Prefetch2085700.dll
    Filesize

    140KB

    MD5

    40a3677554943b82483bb666f0f38c9e

    SHA1

    948bd00e70aec3f266e5241fb37e3bef4cfaa992

    SHA256

    c9dd61eff58c55517f886b25fb161784b4430756b46a5794751f92018cdc4e8f

    SHA512

    d8ebada743f688c6962bfdcdf181122ea3811a765360665bce6cb403a74e0c0a679fb31f203aeb68609f1b01592b483ed1a30b37718f6412c7872af0cecb3d8e

    Download Submit
  • \??\c:\Program Files\NT_Path.gif
    Filesize

    133B

    MD5

    ab9527d8b3bfa8cd70a634a6d1940805

    SHA1

    e980b326574fd9eb29d251db133b7e36ee915e33

    SHA256

    096384b953f79fe35aaf7157f0eb2f226cb888e2ea82997606b8ed5792ba9934

    SHA512

    1750e032764d9f12f6f6eb38c1bd251f5d3d2afb33c6c34d5c2f2607de27b96f9d0eae3566163e1de7bae0179d74bb1acafa50257a8da83be21f5d24376bce16

    Download Submit
  • \??\c:\program files (x86)\common files\centerv.gzip
    Filesize

    10.5MB

    MD5

    f1b04b0188d33b293b322429290585b8

    SHA1

    ac8af647e07d0389a9b8c17e223d18cfc7577319

    SHA256

    d7cb2021e6084c18e876da454ce8baeea83c867940668e2d2f6f2837609a3d6c

    SHA512

    5c8d262d70fb571186bdd0a22f63db8028846b8b99b0f1736466b881fdbb9a7ea299ab4930088a80d99bcf7ced23c09397211339ba812ffb75dac42932da8fef

    Download Submit
  • memory/1092-134-0x0000000010000000-0x0000000010025000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1092-136-0x0000000010000000-0x0000000010025000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1624-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4664-138-0x0000000010000000-0x0000000010025000-memory.dmp
    Filesize

    148KB

    Download
  • memory/4664-141-0x0000000010000000-0x0000000010025000-memory.dmp
    Filesize

    148KB

    Download