Overview

overview

10

Static

static

3

ed3ba64121...cd.exe

windows7-x64

10

ed3ba64121...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    01/09/2023, 02:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed3ba64121bfd11bdc258dba52fb304a4c860f4d24800ba6c8a0fc45374f1bcd.exe

  • Size

    2.0MB

  • MD5

    fa0bf78f41fd641d50a2733576488e10

  • SHA1

    873cf1b636a8208d2a86da723994ed1bc01e940f

  • SHA256

    ed3ba64121bfd11bdc258dba52fb304a4c860f4d24800ba6c8a0fc45374f1bcd

  • SHA512

    7f5eb28207e021184f96df9ee3f16a620f3c1fd0c953b1d615c4a0c2f19566e38e129d4e336340461789728a197595f2489600ac062dd1506dd2db180de7c84d

  • SSDEEP

    49152:ChO1EduwCnAA7laNhK5uR+nkQYC5ZkA3JBKgI0JzHQMmGt7hChs:CrduwCB7laNhK4+nkQYC5ZkA5BLhTQMc

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed3ba64121bfd11bdc258dba52fb304a4c860f4d24800ba6c8a0fc45374f1bcd.exe
    "C:\Users\Admin\AppData\Local\Temp\ed3ba64121bfd11bdc258dba52fb304a4c860f4d24800ba6c8a0fc45374f1bcd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Public\LanecatTrial\MSIF1.exe
      "C:\Users\Public\LanecatTrial\MSIF1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\LanecatTrial\Config\config.xml
    Filesize

    714B

    MD5

    f86ac755d6fd39f8c39519593e2f3264

    SHA1

    65c6a388b277b0c47c2bdec8765a45ff342a5238

    SHA256

    f1d027d073c18f3abf023cae8ed3b37893fbf0a6e6ddb4b0fdbca67700a4e9ee

    SHA512

    01254a3212aa97efcb85a043ef27d09f8e3758b1ebff74175d9a46c2bb3e29adcfbb1f9bbe20ada61a05f3dad1d9a41a40658ad3860dfb359c1e9e0e66fe25e5

    Download Submit

  • C:\Users\Public\LanecatTrial\H264Parser.dll
    Filesize

    136KB

    MD5

    7838ed8993d87762e120a2a9785b69e8

    SHA1

    b7d78494fbc6a894ca7986fbe7184f3c7856bc58

    SHA256

    2a6e6ddfc9821c85f8b5642b79fc948d47bd73fbe158e3824601e1a53246bd34

    SHA512

    ef7aca07e9fd1184f04ab652b9af7b20e2ca6e09560701a17cdf49e0546569835c81648c0906c0be58b502844ad9583432ba297cdf0ba97a72702621add2a4ce

    Download Submit

  • C:\Users\Public\LanecatTrial\HevcParser.dll
    Filesize

    88KB

    MD5

    bf5bda734e0f90c5d4cb5a96f3fbb095

    SHA1

    62ee815e4016f0738de0577386d3b39d4b3805a0

    SHA256

    c2a30ad5037b72985153def616159acf420bb17724f260442cf3c0e08e6b4473

    SHA512

    432c2ef627602852690e4a8f768c1530effa8aa903e4c4e4d0151886c85192f73f75de08fc28856ed82bbaa13837d303f7c1a382f3fd7e8f60163f093f11419d

    Download Submit

  • C:\Users\Public\LanecatTrial\IvsDrawer.dll
    Filesize

    311KB

    MD5

    d1af9705fa9934fa2ae9b43a9e7f9d1c

    SHA1

    2f126dfbc9603c47535ef433b6b396cd2a665ffe

    SHA256

    79e101e97a4457f968eaf925e5bc3749364558291b83d0af01d8439580774b65

    SHA512

    16725d25dd4ed22ff1f926587bbe0abd61145862933a615a97a9a02da9f11fec01735250e148daf5b92ede13032ad89c37de8f8a74cf5cac9a807d34b8738059

    Download Submit

  • C:\Users\Public\LanecatTrial\MSIF1.dat
    Filesize

    61B

    MD5

    fa67bf7bc3e4668a8e715f60a047907f

    SHA1

    c6594ed7cf563ef7d5738a4747d7c3db7750c7d5

    SHA256

    45a403788137e0074e393d9fc58f4bae133ae2864226169f8bcf17e2ef18eac3

    SHA512

    3984b88217130b9da1a9c209bfb8daee56974b52b705a5919ea7da3ef6f59e36888fd129faa94a912e5cbec619e186ddc79dffc3209f94398ba26e568ad758d0

    Download Submit

  • C:\Users\Public\LanecatTrial\MSIF1.exe
    Filesize

    2.5MB

    MD5

    cdd90b75bc029d47277b8ea8f4a3dc3c

    SHA1

    4ecd1a35234fdf2a90bd099fe89e3792e584a976

    SHA256

    f343020d58f8d41334873fc8a4e6a81abf604b2a438255578603313c8bcb2b1f

    SHA512

    975b22fe4a90f34cae2aa3966e1342a6155767ddc6803b717e4ada8e70c8c81a48439bf3b04110aaf73efb8daa01a8fb63d5b8e4fcb8c3715383333404227392

    Download Submit

  • C:\Users\Public\LanecatTrial\MSIF1.exe
    Filesize

    2.5MB

    MD5

    cdd90b75bc029d47277b8ea8f4a3dc3c

    SHA1

    4ecd1a35234fdf2a90bd099fe89e3792e584a976

    SHA256

    f343020d58f8d41334873fc8a4e6a81abf604b2a438255578603313c8bcb2b1f

    SHA512

    975b22fe4a90f34cae2aa3966e1342a6155767ddc6803b717e4ada8e70c8c81a48439bf3b04110aaf73efb8daa01a8fb63d5b8e4fcb8c3715383333404227392

    Download Submit

  • C:\Users\Public\LanecatTrial\MSIF1.exe
    Filesize

    2.5MB

    MD5

    cdd90b75bc029d47277b8ea8f4a3dc3c

    SHA1

    4ecd1a35234fdf2a90bd099fe89e3792e584a976

    SHA256

    f343020d58f8d41334873fc8a4e6a81abf604b2a438255578603313c8bcb2b1f

    SHA512

    975b22fe4a90f34cae2aa3966e1342a6155767ddc6803b717e4ada8e70c8c81a48439bf3b04110aaf73efb8daa01a8fb63d5b8e4fcb8c3715383333404227392

    Download Submit

  • C:\Users\Public\LanecatTrial\PlayModule.dll
    Filesize

    72KB

    MD5

    5493b6f4fe0a89244658f068ef3a3262

    SHA1

    e23e10c945092e3948f438478588af3ed9f2a423

    SHA256

    e9e862cafad65c726834226da4c9f382037dfd87f49e3a9043b06d887b09c2ad

    SHA512

    21abd250ea7f72b4d039a3643436d7803d37fe0c61f2baab90d179eed1e282d7b3deca2266b56f7d1e6103e7cfaaa1785f0fd1e05b90e5372e315bded87350a6

    Download Submit

  • C:\Users\Public\LanecatTrial\QtCore4.dll
    Filesize

    2.5MB

    MD5

    8d56b80d3d650452add06d7a89ba75f9

    SHA1

    1db8005c9c2fd2627bd8dde001a947ddd5953bb8

    SHA256

    1d3d0fec530436d2bfea63832a735aeb1a76d44cc262a08634121cdcd793b148

    SHA512

    19b8e58c8cf0e3624149f54b3ecfc319773483ae1bc1f9bee50bd1ea86fc62a9c38d4e18726f94a6f5fa1e2d8466ab1a3fbcbb15cc1830b88a7d1c244532217a

    Download Submit

  • C:\Users\Public\LanecatTrial\QtGui4.dll
    Filesize

    8.2MB

    MD5

    a1a0e8d521af0da88827ebd492370ab6

    SHA1

    f74fa4c81c009806ef70050424f4fcc66c23ee1d

    SHA256

    d3a9af1b8bbaee93f920e1532b25607c442ff2ab319d3b988b6aaa0d185bf3ca

    SHA512

    1238dfe0929d83d0154f53a11ab2b22b731d1ec6fa863c0adaa3bce68fed6df88052da25497936d6ca66f1b95aeda51c2c7ce8e0eb510c9c5770732d5b22721b

    Download Submit

  • C:\Users\Public\LanecatTrial\SmartPlayer_Style.css
    Filesize

    3KB

    MD5

    e72f23305ed0d833456ad0dc5b385231

    SHA1

    34f61a992765c4a2bf050dea3e45ea33200a3a1e

    SHA256

    ccb9152fb476550d6b845eb6ab15c37c67fa8919cb5b4be8539d8ac35e42a9d9

    SHA512

    1cfe18e5c0ea803d32b89735b8f2fe1df118e4c3faefd5379fae61475711a5a1863c00b27a15983f6f4d7f33387bdcbfce94c9f62d690462c205ca6a66df3567

    Download Submit

  • C:\Users\Public\LanecatTrial\dhplay.dll
    Filesize

    1.3MB

    MD5

    8d530128b0d5c5ba42c1330ecb030221

    SHA1

    a54d0376bafc789199f243a220480e84e9a185da

    SHA256

    c356a03d6f0bc20310d1ba59021d924cb6d66b37f96b2eea8e2d9135c1eb9eac

    SHA512

    e4f8f974ae411af9461d6572832286cf292c49f9803ab2359d5017cd23ae82079a2f90eb2cfb5ba42b7acbdd06d2f74e6ecddf6355fafea194f87b060e1f675d

    Download Submit

  • C:\Users\Public\LanecatTrial\donottrace.txt
    Filesize

    827KB

    MD5

    bbe85adcd40dce9208823c51d19b8c9f

    SHA1

    fc28ce468282f7a9c14e4d5a03f35541edcd9065

    SHA256

    ea1d5a1ac433773aece8cd8e681bec36e1ced059ff4decad9c080572f85ce6c3

    SHA512

    df175ca349520f0031786801e1da456219b0ef2c904a23176653ad357e6d49ab7b9b3d7a8d7e140fc402f81fc3c2a9f7e219c5a8a77c61eef8bea4ed72bcf9c0

    Download Submit

  • C:\Users\Public\LanecatTrial\qt_zh_CN.qm
    Filesize

    114KB

    MD5

    b229ee4a58b9c9e604431a43ca95a78a

    SHA1

    4c77cca52b0ec85a0c8e7bcdfa796695bd2066f9

    SHA256

    be0546ac5afec81595e4acd323d20dd31632a19623dcfbdba2e9374cec6be149

    SHA512

    2b2b108f11c60bf506b2204fd1c171a346d797a770eaaf2667325888911ecc3e2df8a68f2a31e35894a75fba944f41cca146fc03c5fa8a5d0cb3f0db26f8762b

    Download Submit

  • C:\Users\Public\LanecatTrial\task.dat
    Filesize

    86B

    MD5

    0a87e250ede41c438084e2f207acda42

    SHA1

    233ea7b0c0a926e74a65a4fe73f47430bea3e06f

    SHA256

    5255d769c48a0f20cb2f40966f9f7bc2cbe30a10b88d3fb30b3d61b8c5e8e32d

    SHA512

    1a07a89c2bc1990a0eabb055d59ba6fb729dcdf6ed006cfa698fc3fed715578bba099b83a62b51b3a8dbbe4c5d4d86c4a4829c6f634592dd6e5f05e2e6f3f740

    Download Submit

  • \Users\Public\LanecatTrial\H264Parser.dll
    Filesize

    136KB

    MD5

    7838ed8993d87762e120a2a9785b69e8

    SHA1

    b7d78494fbc6a894ca7986fbe7184f3c7856bc58

    SHA256

    2a6e6ddfc9821c85f8b5642b79fc948d47bd73fbe158e3824601e1a53246bd34

    SHA512

    ef7aca07e9fd1184f04ab652b9af7b20e2ca6e09560701a17cdf49e0546569835c81648c0906c0be58b502844ad9583432ba297cdf0ba97a72702621add2a4ce

    Download Submit

  • \Users\Public\LanecatTrial\HevcParser.dll
    Filesize

    88KB

    MD5

    bf5bda734e0f90c5d4cb5a96f3fbb095

    SHA1

    62ee815e4016f0738de0577386d3b39d4b3805a0

    SHA256

    c2a30ad5037b72985153def616159acf420bb17724f260442cf3c0e08e6b4473

    SHA512

    432c2ef627602852690e4a8f768c1530effa8aa903e4c4e4d0151886c85192f73f75de08fc28856ed82bbaa13837d303f7c1a382f3fd7e8f60163f093f11419d

    Download Submit

  • \Users\Public\LanecatTrial\IvsDrawer.dll
    Filesize

    311KB

    MD5

    d1af9705fa9934fa2ae9b43a9e7f9d1c

    SHA1

    2f126dfbc9603c47535ef433b6b396cd2a665ffe

    SHA256

    79e101e97a4457f968eaf925e5bc3749364558291b83d0af01d8439580774b65

    SHA512

    16725d25dd4ed22ff1f926587bbe0abd61145862933a615a97a9a02da9f11fec01735250e148daf5b92ede13032ad89c37de8f8a74cf5cac9a807d34b8738059

    Download Submit

  • \Users\Public\LanecatTrial\MSIF1.exe
    Filesize

    2.5MB

    MD5

    cdd90b75bc029d47277b8ea8f4a3dc3c

    SHA1

    4ecd1a35234fdf2a90bd099fe89e3792e584a976

    SHA256

    f343020d58f8d41334873fc8a4e6a81abf604b2a438255578603313c8bcb2b1f

    SHA512

    975b22fe4a90f34cae2aa3966e1342a6155767ddc6803b717e4ada8e70c8c81a48439bf3b04110aaf73efb8daa01a8fb63d5b8e4fcb8c3715383333404227392

    Download Submit

  • \Users\Public\LanecatTrial\MSIF1.exe
    Filesize

    2.5MB

    MD5

    cdd90b75bc029d47277b8ea8f4a3dc3c

    SHA1

    4ecd1a35234fdf2a90bd099fe89e3792e584a976

    SHA256

    f343020d58f8d41334873fc8a4e6a81abf604b2a438255578603313c8bcb2b1f

    SHA512

    975b22fe4a90f34cae2aa3966e1342a6155767ddc6803b717e4ada8e70c8c81a48439bf3b04110aaf73efb8daa01a8fb63d5b8e4fcb8c3715383333404227392

    Download Submit

  • \Users\Public\LanecatTrial\PlayModule.dll
    Filesize

    72KB

    MD5

    5493b6f4fe0a89244658f068ef3a3262

    SHA1

    e23e10c945092e3948f438478588af3ed9f2a423

    SHA256

    e9e862cafad65c726834226da4c9f382037dfd87f49e3a9043b06d887b09c2ad

    SHA512

    21abd250ea7f72b4d039a3643436d7803d37fe0c61f2baab90d179eed1e282d7b3deca2266b56f7d1e6103e7cfaaa1785f0fd1e05b90e5372e315bded87350a6

    Download Submit

  • \Users\Public\LanecatTrial\QtCore4.dll
    Filesize

    2.5MB

    MD5

    8d56b80d3d650452add06d7a89ba75f9

    SHA1

    1db8005c9c2fd2627bd8dde001a947ddd5953bb8

    SHA256

    1d3d0fec530436d2bfea63832a735aeb1a76d44cc262a08634121cdcd793b148

    SHA512

    19b8e58c8cf0e3624149f54b3ecfc319773483ae1bc1f9bee50bd1ea86fc62a9c38d4e18726f94a6f5fa1e2d8466ab1a3fbcbb15cc1830b88a7d1c244532217a

    Download Submit

  • \Users\Public\LanecatTrial\QtGui4.dll
    Filesize

    8.2MB

    MD5

    a1a0e8d521af0da88827ebd492370ab6

    SHA1

    f74fa4c81c009806ef70050424f4fcc66c23ee1d

    SHA256

    d3a9af1b8bbaee93f920e1532b25607c442ff2ab319d3b988b6aaa0d185bf3ca

    SHA512

    1238dfe0929d83d0154f53a11ab2b22b731d1ec6fa863c0adaa3bce68fed6df88052da25497936d6ca66f1b95aeda51c2c7ce8e0eb510c9c5770732d5b22721b

    Download Submit

  • \Users\Public\LanecatTrial\dhplay.dll
    Filesize

    1.3MB

    MD5

    8d530128b0d5c5ba42c1330ecb030221

    SHA1

    a54d0376bafc789199f243a220480e84e9a185da

    SHA256

    c356a03d6f0bc20310d1ba59021d924cb6d66b37f96b2eea8e2d9135c1eb9eac

    SHA512

    e4f8f974ae411af9461d6572832286cf292c49f9803ab2359d5017cd23ae82079a2f90eb2cfb5ba42b7acbdd06d2f74e6ecddf6355fafea194f87b060e1f675d

    Download Submit

  • memory/1724-389-0x00000000003C0000-0x00000000003D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1724-383-0x00000000021B0000-0x0000000003BCC000-memory.dmp

    Filesize

    26.1MB

    Download

  • memory/1724-395-0x0000000004420000-0x00000000044F3000-memory.dmp

    Filesize

    844KB

    Download

  • memory/1724-396-0x0000000004420000-0x00000000044F3000-memory.dmp

    Filesize

    844KB

    Download

  • memory/1724-398-0x0000000002090000-0x000000000210B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1724-415-0x0000000004420000-0x00000000044F3000-memory.dmp

    Filesize

    844KB

    Download