Overview

overview

10

Static

static

10

d01f4e7c70...1b.exe

windows7-x64

10

d01f4e7c70...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    286s
  • max time network
    393s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 01:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d01f4e7c70a0b2da75ca3ca6faa108b39c7b2dbe58977aa5cecfc4f03796631b.exe

  • Size

    236KB

  • MD5

    33dee9cce9d3189a0102fc8dee0ca294

  • SHA1

    7ce30a7252b330f60729fca10a3ae4bea3d6f69d

  • SHA256

    d01f4e7c70a0b2da75ca3ca6faa108b39c7b2dbe58977aa5cecfc4f03796631b

  • SHA512

    8e220176fb48a33f8233cbd9cf997ab736b6633a2bb115690b78c50d00d082e2b53381125743efc5fb4b8e29d9522d87eaf5360bfcce01d2f146d74a81eeb814

  • SSDEEP

    3072:IvHzqtu0IPeqovhA58gMreQNihzFEnitlffRo+8uRJUZZWFIYzSf+eqo9a:OP0Ieqo5bN2l3f6KgZZY+Geqo

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d01f4e7c70a0b2da75ca3ca6faa108b39c7b2dbe58977aa5cecfc4f03796631b.exe
    "C:\Users\Admin\AppData\Local\Temp\d01f4e7c70a0b2da75ca3ca6faa108b39c7b2dbe58977aa5cecfc4f03796631b.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im KSafeTray.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4976
    • \??\c:\Windows\9947B2A0.exe
      c:\Windows\9947B2A0.exe
      2⤵
      • Executes dropped EXE
      PID:772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
      2⤵
        PID:2244

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat
            Filesize

            2KB

            MD5

            6383d8e7d5c4721862c6d7e1a4f44f68

            SHA1

            ac57118a41707068e48daaafd3f97d4abf89bc1c

            SHA256

            0648a0ca3bb4d3dfd0ca0b4c7320ca79405ac01efdf77437d2fe878eea81e543

            SHA512

            98a485b53d420b781936ecfa2fdaf12ac4dbf2c8186e21a783a1d991e76537b78141c13c1206ab37db17d5ddba9ce4cc0c77ba9931113ac4f9e7db6715bddb6b

            Download Submit

          • C:\Windows\9947B2A0.exe
            Filesize

            176KB

            MD5

            06857314bf53cc7d247d7473a38c21f9

            SHA1

            1914c60cc9d4993f01d64b0455b6a58efa97c3ef

            SHA256

            91875d6c4b24f1874b102230888ee891c91814e673ab238767a2cd5e2aa4d16c

            SHA512

            1454c3121f20ee59dc9e0c02b6cebba14a9fd680905e18115891a5d9518924e66992fb169c45bc671eb8d91723ac1642a0034363e701aa2d10283aa1eab63ae3

            Download Submit

          • \??\c:\Windows\9947B2A0.exe
            Filesize

            176KB

            MD5

            06857314bf53cc7d247d7473a38c21f9

            SHA1

            1914c60cc9d4993f01d64b0455b6a58efa97c3ef

            SHA256

            91875d6c4b24f1874b102230888ee891c91814e673ab238767a2cd5e2aa4d16c

            SHA512

            1454c3121f20ee59dc9e0c02b6cebba14a9fd680905e18115891a5d9518924e66992fb169c45bc671eb8d91723ac1642a0034363e701aa2d10283aa1eab63ae3

            Download Submit