Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
06-10-2023 20:53
General
-
Target
NEAS.e30e947c000a0e11c6b8a285a7013cd10ea55af42be787c54822bd91d94c6400_JC.exe
-
Size
673KB
-
MD5
484ab79215e73743053556b128a60ef0
-
SHA1
74500943aec7c38764a6b7b6babf9ffbdd440c27
-
SHA256
e30e947c000a0e11c6b8a285a7013cd10ea55af42be787c54822bd91d94c6400
-
SHA512
e1ad76c0b0116c0431c9a3befdca6555df5ee0583474075720bf94c26ab9fa4e0ca582b9f28ba91a92080fa2b1677d7269ce6e970fa56abcb9dddc0364949356
-
SSDEEP
12288:FW5tTEdPGYqEOc4POXmH8GI0duC77jDb0PUH:F8Eo6OcUODWxTH
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e30e947c000a0e11c6b8a285a7013cd10ea55af42be787c54822bd91d94c6400_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e30e947c000a0e11c6b8a285a7013cd10ea55af42be787c54822bd91d94c6400_JC.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\VAxplorer\VAxplorer.exe"C:\Users\Public\VAxplorer\VAxplorer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5f1ecccf56f0161245cf531ed03e9a782
SHA16db1bba372437d54f9e6d79f4bfb12ecc510235a
SHA2561317dec4136b6f8ebddaf1afaee75c00da642756edc1daaf338a3fd84a7f4edf
SHA512cfde07c301f95225e9677f0deaf14f29d7916c43f109ca2bd0bfefb5504b56a7ae3ac6af6cc7d339fca26c4e53860572277cc1d26bc51eed42543d45438e3d34
-
Filesize
408KB
MD5f1ecccf56f0161245cf531ed03e9a782
SHA16db1bba372437d54f9e6d79f4bfb12ecc510235a
SHA2561317dec4136b6f8ebddaf1afaee75c00da642756edc1daaf338a3fd84a7f4edf
SHA512cfde07c301f95225e9677f0deaf14f29d7916c43f109ca2bd0bfefb5504b56a7ae3ac6af6cc7d339fca26c4e53860572277cc1d26bc51eed42543d45438e3d34
-
Filesize
7.1MB
MD5bf05cfb57a804d204f53466a65eb0f8d
SHA18f9c318c65185e35b923a310b6d13fec3cc34189
SHA256acdf30226741829ef71762d989c46137f30e8289f72282e480a849ecaddec18b
SHA51235628f90206c7335a322699ae90d9b55a57a9c120f8085e69b48d9782e46a5c666ff41d0af5de3354e4078ba272dab7db5f7ce82365ce9fe637b8f0506ea7f9e
-
Filesize
7.1MB
MD5bf05cfb57a804d204f53466a65eb0f8d
SHA18f9c318c65185e35b923a310b6d13fec3cc34189
SHA256acdf30226741829ef71762d989c46137f30e8289f72282e480a849ecaddec18b
SHA51235628f90206c7335a322699ae90d9b55a57a9c120f8085e69b48d9782e46a5c666ff41d0af5de3354e4078ba272dab7db5f7ce82365ce9fe637b8f0506ea7f9e
-
Filesize
61B
MD59c9334ec2c1d97efd49b60d1ec5786e9
SHA19670ab321ee35578f3bf6d835a0c0fd5ed340f1c
SHA2563d6fc2183a0b3ea713d750878aa02e3fefd0861c095c8ebec5fa2a069c24c5d1
SHA512af7ce330841d990165207b72c16e34310d2af590668ba0f27270d422d12f36da306855a118d6014af6445bf19f6e71b768ac1a041bc034b5607cbf5a76201358
-
Filesize
133KB
MD546ef5c93d32489b5e213d2af3f3b01b5
SHA1011f0cd2bdfd1e10c9058a67e0f6822ae30229f4
SHA25649e19a75210a72dc9b7055b6a07313d5c43b2467c117664f84032bcb0a66db73
SHA5120058d6904599a9eadb0fafb30196bf49aa71e23000e5c692a83ccffa21f12ae4988859e94c7402445f70b4b0e1a5cf5776f8aa4d8e31e54e7470f27d6da8beae
-
Filesize
133KB
MD546ef5c93d32489b5e213d2af3f3b01b5
SHA1011f0cd2bdfd1e10c9058a67e0f6822ae30229f4
SHA25649e19a75210a72dc9b7055b6a07313d5c43b2467c117664f84032bcb0a66db73
SHA5120058d6904599a9eadb0fafb30196bf49aa71e23000e5c692a83ccffa21f12ae4988859e94c7402445f70b4b0e1a5cf5776f8aa4d8e31e54e7470f27d6da8beae
-
Filesize
133KB
MD546ef5c93d32489b5e213d2af3f3b01b5
SHA1011f0cd2bdfd1e10c9058a67e0f6822ae30229f4
SHA25649e19a75210a72dc9b7055b6a07313d5c43b2467c117664f84032bcb0a66db73
SHA5120058d6904599a9eadb0fafb30196bf49aa71e23000e5c692a83ccffa21f12ae4988859e94c7402445f70b4b0e1a5cf5776f8aa4d8e31e54e7470f27d6da8beae
-
Filesize
576KB
MD58853f388a31dfcf9f6d4a48c0568322c
SHA15a41c42845a03ec7033efbccc2c0800ac50758ba
SHA256647d152ffb59cffa15ef2e346541ae0437c0e689e0486ebf1f47c4694a5a8f92
SHA512bcdc834c212ed0391af234b5cc651bd71a82725d0cbdcfba8a87cfad344cba6dc6ba48c1c37a85d0a3a17ecefa4a728d26b4fc3200b2d0017a2c42bef8960edb
-
Filesize
84B
MD51ebeb91405a354285c9d643a2cb621f2
SHA16c955ba873e395e1b771358b6690dbd97cb25f5e
SHA25680e46e97f02a2a84581d011518b76a0d5054f423e93dc30a4e0816a425c6677f
SHA5125be85e38d96a43e44eb9cf66e45af067a3a9464ac55711f5b9aab424a53e2be92462ed289a09a82cebc6aa002c52d4e4b04a757b1bcaf31aa22f173af93f353c
-
Filesize
600KB
-
Filesize
600KB
-
Filesize
492KB
-
Filesize
600KB