Overview

overview

10

Static

static

10

2d7040da51...0c.exe

windows7-x64

10

2d7040da51...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    54s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe

  • Size

    148KB

  • MD5

    9507750f27baef1c5df41867d03ec96a

  • SHA1

    5ba961185b9c4fff620e70af060fb1d231a6d6a1

  • SHA256

    2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c

  • SHA512

    16eaec7c329ea3c68e7a4d22108e8df84b708895ca321b59155fe822efc391289f65390b5fb09cbed55d677f8d30998018baaba187d02762fe7e878e5e4ac6cb

  • SSDEEP

    3072:Y8wZSQpKa3VGVnpUlCz764/9xpEEBqbZuwpAWvGj:YnJVGpxx9b3wZuwpAWvG

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe
    "C:\Users\Admin\AppData\Local\Temp\2d7040da513af89e518bdc01e01dad430ece3c344321b8950eaaf30153675a0c.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2016
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Suspicious behavior: EnumeratesProcesses
    PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2134300.dll
    Filesize

    130KB

    MD5

    e706a3120c0e6c16595932f4ebaa040b

    SHA1

    471a0c1ce2ae43df4351ddbc493a0b698b3a49bb

    SHA256

    0dbdeadd62b95e633a5ec98e698b7f8fb22360e42b2e26fdef1ae4ec2fe30707

    SHA512

    32cf320a76c69987c529158929861563262478200889c913b2e9fd8ffb9b25ff64ba40bf3e24e2e5f183f5c788d1a50f8fcb1280d23fb875260ff50906235a0d

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    117B

    MD5

    8335d83ffe13f59a05cc830b1e787f9b

    SHA1

    f648dda0b0a16ca86d645445c0acb6e4ef1bfbda

    SHA256

    fc6108106fb02bb68103e45791bd280ede56987b763046552e8f772fc002fbb3

    SHA512

    7b2a5cd783a89ecf3cfdcc48558b45314b8f7907386467494d7742a3a46a0cc98d6daad354e49efb0310c2b574a956e5d48956048759af6a085869f8e813ef43

    Download Submit

  • \??\c:\windows\filename.jpg
    Filesize

    5.3MB

    MD5

    c571aa5ef57194faeda7491ed73b1f76

    SHA1

    de6c6658d58ff32afc68afcf7156307e2f5069f3

    SHA256

    dc96d47aeada7ef032e6a6f1faab007a7141b29dee6f19565aa1179711a92c2f

    SHA512

    4b90463a48f99d24241ca3f842d3702ebb9ff4c39ea23615f191327669e01c7733ea2978542120026c3bc27f088dca44e6732de6dadac570c7820dbdd552a089

    Download Submit

  • memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

    Filesize

    8KB

    Download