Analysis
-
max time kernel
4s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
05-12-2022 08:45
General
-
Target
b1231919acad3b987ccace0aa9a92ce6e01566867484f58a6e03e2516eff1b1c.exe
-
Size
132KB
-
MD5
7fa1eccc1ae6fa313cbbd403737aa186
-
SHA1
2c63c8ee4a16fb7b6e7d4a5c2453d26aa881527d
-
SHA256
b1231919acad3b987ccace0aa9a92ce6e01566867484f58a6e03e2516eff1b1c
-
SHA512
7a6cb4dff686e84321e6f8ed30f98cbf6d1052a80635f90aeb4439cef5c997f6f01b25c2076b92d196197196a520ba751d13e43921bdd9ef33007b5d1491cbbd
-
SSDEEP
3072:EzbbN6esny5BV0D8C5oJu2gCFxg8qCZmWksd/V1B1B:Ezbb0dyxq9nAFWFUmZsd/
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Drops file in Drivers directory 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1231919acad3b987ccace0aa9a92ce6e01566867484f58a6e03e2516eff1b1c.exe"C:\Users\Admin\AppData\Local\Temp\b1231919acad3b987ccace0aa9a92ce6e01566867484f58a6e03e2516eff1b1c.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD564dc68ef192f6552979cd0eeb5ab89f6
SHA122380085402a9a634b7606813c7dcf969bd22cce
SHA256225fe55a272912701aaea2f724cdce4fec25e1e0001382e652370a22c858a7b4
SHA512c6c6ec7e7d6df8d9c60c3e30b9ef4270daa7e937667be8231ebe82a8bac849e96c6b2bde074c2648726b5e41dfbd2de927734d8224cc075d2eb6736700268393
-
Filesize
93KB
MD59f2203f9aa3c197d910fadc548844702
SHA1af7d9bfe8898f5636db467b461a67726c53c0d43
SHA25688e93ecd192cb473e0ab9b6a0817a7f527886964f22e691ba150e5d681b21458
SHA51239e078c45a89f6da91378e077427181555963176c84b97eb6753341a80da85892b5d569e553c5641772c12043257ba04aa013528d479b12f44b8b345025f1c9e
-
Filesize
93KB
MD59f2203f9aa3c197d910fadc548844702
SHA1af7d9bfe8898f5636db467b461a67726c53c0d43
SHA25688e93ecd192cb473e0ab9b6a0817a7f527886964f22e691ba150e5d681b21458
SHA51239e078c45a89f6da91378e077427181555963176c84b97eb6753341a80da85892b5d569e553c5641772c12043257ba04aa013528d479b12f44b8b345025f1c9e
-
Filesize
93KB
MD59f2203f9aa3c197d910fadc548844702
SHA1af7d9bfe8898f5636db467b461a67726c53c0d43
SHA25688e93ecd192cb473e0ab9b6a0817a7f527886964f22e691ba150e5d681b21458
SHA51239e078c45a89f6da91378e077427181555963176c84b97eb6753341a80da85892b5d569e553c5641772c12043257ba04aa013528d479b12f44b8b345025f1c9e
-
Filesize
8KB