Overview

overview

10

Static

static

10

d01f4e7c70...1b.exe

windows7-x64

10

d01f4e7c70...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 01:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d01f4e7c70a0b2da75ca3ca6faa108b39c7b2dbe58977aa5cecfc4f03796631b.exe

  • Size

    236KB

  • MD5

    33dee9cce9d3189a0102fc8dee0ca294

  • SHA1

    7ce30a7252b330f60729fca10a3ae4bea3d6f69d

  • SHA256

    d01f4e7c70a0b2da75ca3ca6faa108b39c7b2dbe58977aa5cecfc4f03796631b

  • SHA512

    8e220176fb48a33f8233cbd9cf997ab736b6633a2bb115690b78c50d00d082e2b53381125743efc5fb4b8e29d9522d87eaf5360bfcce01d2f146d74a81eeb814

  • SSDEEP

    3072:IvHzqtu0IPeqovhA58gMreQNihzFEnitlffRo+8uRJUZZWFIYzSf+eqo9a:OP0Ieqo5bN2l3f6KgZZY+Geqo

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d01f4e7c70a0b2da75ca3ca6faa108b39c7b2dbe58977aa5cecfc4f03796631b.exe
    "C:\Users\Admin\AppData\Local\Temp\d01f4e7c70a0b2da75ca3ca6faa108b39c7b2dbe58977aa5cecfc4f03796631b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im KSafeTray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • \??\c:\Windows\D07A002F.exe
      c:\Windows\D07A002F.exe
      2⤵
      • Executes dropped EXE
      PID:1704
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c afc9fe2f418b00a0.bat
      2⤵
      • Deletes itself
      PID:2016

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat
          Filesize

          2KB

          MD5

          6383d8e7d5c4721862c6d7e1a4f44f68

          SHA1

          ac57118a41707068e48daaafd3f97d4abf89bc1c

          SHA256

          0648a0ca3bb4d3dfd0ca0b4c7320ca79405ac01efdf77437d2fe878eea81e543

          SHA512

          98a485b53d420b781936ecfa2fdaf12ac4dbf2c8186e21a783a1d991e76537b78141c13c1206ab37db17d5ddba9ce4cc0c77ba9931113ac4f9e7db6715bddb6b

          Download Submit

        • C:\Windows\D07A002F.exe
          Filesize

          176KB

          MD5

          e11a6824977a1250f32c1d241114d770

          SHA1

          476d425df990af8516ae6a2cf50d5274891b0fed

          SHA256

          415b9a0122539ba58170c512f6bb47a5bb0ad37bcd0b4ad842b211e7aeb84f36

          SHA512

          3fa18b1ce193d0602d61e863d053325bfcad744faf128f84b7c7f4f5c456cdbe76dbb148a577330be57d3c2c1e33ecc4253cb52d50d69a782a4b3a2edd0dba63

          Download Submit

        • memory/1032-54-0x0000000075501000-0x0000000075503000-memory.dmp

          Filesize

          8KB

          Download