Overview

overview

10

Static

static

3

NEAS.3b443...00.exe

windows7-x64

10

NEAS.3b443...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2023 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.3b4435c492862dbcbe76824854c02600.exe

  • Size

    135KB

  • MD5

    3b4435c492862dbcbe76824854c02600

  • SHA1

    9582f5a6baa9a20a67d8aef685f5845715794d73

  • SHA256

    6af6e64202cb3703d3b054d33d7cea6514bd583a07b81148dddc82194df830e8

  • SHA512

    d016e4dc26a3593aba3ab036ded8f70e4a3ded1af7ab965d2d03d4df98ad8b7083dd56e5f66148f1ba233f292f20f9693138e522ece2d0ee3d4aaa39eac2bb73

  • SSDEEP

    3072:e02gsmbHGhqCkQINRiUsIPZLJh90vbXDztaZ14a8l:87m6hqCfysKEz8Z1Fg

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.3b4435c492862dbcbe76824854c02600.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.3b4435c492862dbcbe76824854c02600.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2076
  • C:\Windows\zmxrwm.exe
    C:\Windows\zmxrwm.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\zmxrwm.exe
    Filesize

    135KB

    MD5

    3b4435c492862dbcbe76824854c02600

    SHA1

    9582f5a6baa9a20a67d8aef685f5845715794d73

    SHA256

    6af6e64202cb3703d3b054d33d7cea6514bd583a07b81148dddc82194df830e8

    SHA512

    d016e4dc26a3593aba3ab036ded8f70e4a3ded1af7ab965d2d03d4df98ad8b7083dd56e5f66148f1ba233f292f20f9693138e522ece2d0ee3d4aaa39eac2bb73

    Download Submit

  • C:\Windows\zmxrwm.exe
    Filesize

    135KB

    MD5

    3b4435c492862dbcbe76824854c02600

    SHA1

    9582f5a6baa9a20a67d8aef685f5845715794d73

    SHA256

    6af6e64202cb3703d3b054d33d7cea6514bd583a07b81148dddc82194df830e8

    SHA512

    d016e4dc26a3593aba3ab036ded8f70e4a3ded1af7ab965d2d03d4df98ad8b7083dd56e5f66148f1ba233f292f20f9693138e522ece2d0ee3d4aaa39eac2bb73

    Download Submit

  • memory/2076-0-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2076-2-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2076-3-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2076-12-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2708-8-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2708-13-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download