Overview

overview

10

Static

static

3

2bc78e0d14...2d.exe

windows7-x64

10

2bc78e0d14...2d.exe

windows10-2004-x64

10

4922d2660f...c5.exe

windows7-x64

10

4922d2660f...c5.exe

windows10-2004-x64

1

4e14f58935...61.exe

windows7-x64

10

4e14f58935...61.exe

windows10-2004-x64

1

64b9d76ec0...52.exe

windows7-x64

10

64b9d76ec0...52.exe

windows10-2004-x64

3

79f68c9a2d...ee.exe

windows7-x64

7

79f68c9a2d...ee.exe

windows10-2004-x64

7

c984a9446b...d3.exe

windows7-x64

10

c984a9446b...d3.exe

windows10-2004-x64

3

d69dc8e0a1...67.exe

windows7-x64

10

d69dc8e0a1...67.exe

windows10-2004-x64

10

dff2cf2793...3f.exe

windows7-x64

10

dff2cf2793...3f.exe

windows10-2004-x64

1

e542080348...18.exe

windows7-x64

10

e542080348...18.exe

windows10-2004-x64

10

f96c9a2487...e6.exe

windows7-x64

10

f96c9a2487...e6.exe

windows10-2004-x64

3

fe2da521d1...ff.exe

windows7-x64

10

fe2da521d1...ff.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2023 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe

  • Size

    1.9MB

  • MD5

    5180aed5b965547e91efa008b717f60e

  • SHA1

    54880ff5d78461ce44c360eac1d6b78324f2d9ac

  • SHA256

    e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418

  • SHA512

    7ff238fe96ee8d6261a7b2c966695b1beed388b8c5d015e4b3398c6ac25542b6a999814034076f7091b6e64db6f63e07b27d119a128599b3704d21654d254623

  • SSDEEP

    49152:sD570Xqsslj++UXO26hSrtML/eYxkkdLqVK5zBO6LvVV1WWhxU9BJ:s0Xqssl1UXOnSrtML/eYxkkdLqUxZV3I

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1360
      • C:\Users\Admin\AppData\Local\Temp\e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe
        "C:\Users\Admin\AppData\Local\Temp\e5420803485f33ca53c3314eb2a77370bf936083e5d32e1e0a53427731aed418.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1196
      • C:\Users\Public\WinZip\ypager.exe
        /mnfgkr
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1680

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\WinZip\ULPSCtrl.DLL
      Filesize

      3.1MB

      MD5

      e9b960187e2f0fbd52b72b998948bc59

      SHA1

      8d0fa9ee8e2ba8c00b8488f29d7ea42f571229d4

      SHA256

      3fc415e6865a071147927e0a4b163e9674f03c141be64d0b73ba3fdf326979c6

      SHA512

      1133c5d74f1740057ed5ae693f325a1ddeb71c539f8fef3319bee36dad3a81c18aeb4e623d9cc8a7838727b3960542513d176f7894858335eef4138af352d116

      Download Submit

    • C:\Users\Public\WinZip\donottrace.txt
      Filesize

      576KB

      MD5

      b6678d622d68b2e0d7ca40d90a2f3364

      SHA1

      c7024ff30e61497fcc084f49d3a3970f448ef979

      SHA256

      1a22b5a54359e3db68ad451cf62f76e1b59ab0c6b06f2960078b812889fc1049

      SHA512

      217d6b3b950204884697d56e66abf6172400f8d7b959957fdebbb7528c0a9413ca664f90fe1c047bdea95fdb1361ed0513ff31a655b4a53f890f6a349e89561d

      Download Submit

    • C:\Users\Public\WinZip\task.dat
      Filesize

      88B

      MD5

      9b33574eaac428c3ad1a2c5ae13f2c13

      SHA1

      31714b1b191635b00d7afa2d1ebe1c2f94848d9b

      SHA256

      42d6db62d64514cadf4e71786e61f3bed8ce4c4fb528b8fe392a0631657890ca

      SHA512

      5ee16b4c35006139f4a0a0acacbe895e16e2b137dd20368dfc45c756c35b547cc5c6589604c7f81df555a15bd8981aa4179805070a7380c7c855bb5cf9d48cde

      Download Submit

    • C:\Users\Public\WinZip\toollib.dll
      Filesize

      106KB

      MD5

      f945e5b62ea2965f45b883401161df6e

      SHA1

      39accf7996725159c177e4286c8458f87d8e5b75

      SHA256

      9f2a815953cc477e94ab510b564f3318be4a5d3d8ed61ada94ae5c0ffc7f5635

      SHA512

      b282c2d3676e853dcc2f98259e4b8c76b8d32fac191a1f9f77989bb39960f4083de3bb3aa6e7da1511444605ae508d190ed704843eec3fcbb4d87280919be973

      Download Submit

    • C:\Users\Public\WinZip\ypager.dat
      Filesize

      61B

      MD5

      2b2a26061e72a2e4f46ee4cb177856e3

      SHA1

      eafc87cba0a3dd5f6ce752f92959b2817d5a76b4

      SHA256

      f8371db77094456c22dd527c85bb32ff72d9e62295ea23bba64e4753ad45070e

      SHA512

      ca77afe2acfa9ceae071858b3ed679a14b5371b38c77bcd3681c4e78160dc9ccd21e164e8255f4c202b8d42142111255f14e4885fff49d4fb3c5a7e805d7c2ca

      Download Submit

    • C:\Users\Public\WinZip\ypager.exe
      Filesize

      384KB

      MD5

      7a07c09670406aa5e6b1e06aab0eb051

      SHA1

      6f4cb11d4eae23e39453339be261f6895e5bbfe3

      SHA256

      28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

      SHA512

      f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

      Download Submit

    • C:\Users\Public\WinZip\ypager.exe
      Filesize

      384KB

      MD5

      7a07c09670406aa5e6b1e06aab0eb051

      SHA1

      6f4cb11d4eae23e39453339be261f6895e5bbfe3

      SHA256

      28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

      SHA512

      f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

      Download Submit

    • C:\Users\Public\WinZip\ypager.exe
      Filesize

      384KB

      MD5

      7a07c09670406aa5e6b1e06aab0eb051

      SHA1

      6f4cb11d4eae23e39453339be261f6895e5bbfe3

      SHA256

      28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

      SHA512

      f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

      Download Submit

    • \Users\Public\WinZip\ULPSCtrl.dll
      Filesize

      3.1MB

      MD5

      e9b960187e2f0fbd52b72b998948bc59

      SHA1

      8d0fa9ee8e2ba8c00b8488f29d7ea42f571229d4

      SHA256

      3fc415e6865a071147927e0a4b163e9674f03c141be64d0b73ba3fdf326979c6

      SHA512

      1133c5d74f1740057ed5ae693f325a1ddeb71c539f8fef3319bee36dad3a81c18aeb4e623d9cc8a7838727b3960542513d176f7894858335eef4138af352d116

      Download Submit

    • \Users\Public\WinZip\toollib.dll
      Filesize

      106KB

      MD5

      f945e5b62ea2965f45b883401161df6e

      SHA1

      39accf7996725159c177e4286c8458f87d8e5b75

      SHA256

      9f2a815953cc477e94ab510b564f3318be4a5d3d8ed61ada94ae5c0ffc7f5635

      SHA512

      b282c2d3676e853dcc2f98259e4b8c76b8d32fac191a1f9f77989bb39960f4083de3bb3aa6e7da1511444605ae508d190ed704843eec3fcbb4d87280919be973

      Download Submit

    • \Users\Public\WinZip\ypager.exe
      Filesize

      384KB

      MD5

      7a07c09670406aa5e6b1e06aab0eb051

      SHA1

      6f4cb11d4eae23e39453339be261f6895e5bbfe3

      SHA256

      28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

      SHA512

      f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

      Download Submit

    • \Users\Public\WinZip\ypager.exe
      Filesize

      384KB

      MD5

      7a07c09670406aa5e6b1e06aab0eb051

      SHA1

      6f4cb11d4eae23e39453339be261f6895e5bbfe3

      SHA256

      28291e444134b900a0190629f01a7f83379464b5fd2647a77943e78e84207a55

      SHA512

      f304a2da7b61392beff13de0734c2bd8b87470f045ea76e2b3f8b8b0d3eba17eaa3d7a615b0059a30f0a99ea5b725f4a0e0780d01208de1d9be2e63bf73891e6

      Download Submit

    • memory/1680-75-0x0000000001CC0000-0x0000000002072000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/1680-79-0x0000000002380000-0x0000000002416000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1680-85-0x0000000002420000-0x000000000249B000-memory.dmp

      Filesize

      492KB

      Download