Overview

overview

10

Static

static

3

bc90f2e42e...4b.exe

windows7-x64

10

bc90f2e42e...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2023, 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc90f2e42eeb0cb11f141829067265410b605dddfa64ed353cbc3a47613c0e4b.exe

  • Size

    388KB

  • MD5

    35f66c79f4dfcc11119c020cca13821e

  • SHA1

    dcc8b9b4f72c4f26e0ad4144db5aaf1f6089e941

  • SHA256

    bc90f2e42eeb0cb11f141829067265410b605dddfa64ed353cbc3a47613c0e4b

  • SHA512

    b8db6628ff63bba28927e2d76a127caa17f3c1cce6dd7a180c7fa09b1c88af7b522c4b2a85864a8f0025232dff6aaf0e874abb5a7d81c84fa59cc0ede1ebf9b0

  • SSDEEP

    6144:fIyLEbWaR5Cc37a3vs16lF4GMunOucTTTTrJi:wUaWaR5v37a3vF2GMYOuH

Score
10/10
gh0stratrat

Malware Config

Extracted

Family

gh0strat

C2

82.156.159.199

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc90f2e42eeb0cb11f141829067265410b605dddfa64ed353cbc3a47613c0e4b.exe
    "C:\Users\Admin\AppData\Local\Temp\bc90f2e42eeb0cb11f141829067265410b605dddfa64ed353cbc3a47613c0e4b.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    PID:2080
  • C:\Program Files (x86)\dll.exe
    "C:\Program Files (x86)\dll.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Program Files (x86)\dll.exe
      "C:\Program Files (x86)\dll.exe" Win7
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\dll.exe
    Filesize

    388KB

    MD5

    35f66c79f4dfcc11119c020cca13821e

    SHA1

    dcc8b9b4f72c4f26e0ad4144db5aaf1f6089e941

    SHA256

    bc90f2e42eeb0cb11f141829067265410b605dddfa64ed353cbc3a47613c0e4b

    SHA512

    b8db6628ff63bba28927e2d76a127caa17f3c1cce6dd7a180c7fa09b1c88af7b522c4b2a85864a8f0025232dff6aaf0e874abb5a7d81c84fa59cc0ede1ebf9b0

    Download Submit

  • C:\Program Files (x86)\dll.exe
    Filesize

    388KB

    MD5

    35f66c79f4dfcc11119c020cca13821e

    SHA1

    dcc8b9b4f72c4f26e0ad4144db5aaf1f6089e941

    SHA256

    bc90f2e42eeb0cb11f141829067265410b605dddfa64ed353cbc3a47613c0e4b

    SHA512

    b8db6628ff63bba28927e2d76a127caa17f3c1cce6dd7a180c7fa09b1c88af7b522c4b2a85864a8f0025232dff6aaf0e874abb5a7d81c84fa59cc0ede1ebf9b0

    Download Submit

  • C:\Program Files (x86)\dll.exe
    Filesize

    388KB

    MD5

    35f66c79f4dfcc11119c020cca13821e

    SHA1

    dcc8b9b4f72c4f26e0ad4144db5aaf1f6089e941

    SHA256

    bc90f2e42eeb0cb11f141829067265410b605dddfa64ed353cbc3a47613c0e4b

    SHA512

    b8db6628ff63bba28927e2d76a127caa17f3c1cce6dd7a180c7fa09b1c88af7b522c4b2a85864a8f0025232dff6aaf0e874abb5a7d81c84fa59cc0ede1ebf9b0

    Download Submit

  • memory/2080-0-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

    Download