Overview

overview

10

Static

static

3

NEAS.3b443...00.exe

windows7-x64

10

NEAS.3b443...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2023 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.3b4435c492862dbcbe76824854c02600.exe

  • Size

    135KB

  • MD5

    3b4435c492862dbcbe76824854c02600

  • SHA1

    9582f5a6baa9a20a67d8aef685f5845715794d73

  • SHA256

    6af6e64202cb3703d3b054d33d7cea6514bd583a07b81148dddc82194df830e8

  • SHA512

    d016e4dc26a3593aba3ab036ded8f70e4a3ded1af7ab965d2d03d4df98ad8b7083dd56e5f66148f1ba233f292f20f9693138e522ece2d0ee3d4aaa39eac2bb73

  • SSDEEP

    3072:e02gsmbHGhqCkQINRiUsIPZLJh90vbXDztaZ14a8l:87m6hqCfysKEz8Z1Fg

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.3b4435c492862dbcbe76824854c02600.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.3b4435c492862dbcbe76824854c02600.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4544
  • C:\Windows\vanpws.exe
    C:\Windows\vanpws.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: GetForegroundWindowSpam
    PID:4136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\vanpws.exe
    Filesize

    135KB

    MD5

    3b4435c492862dbcbe76824854c02600

    SHA1

    9582f5a6baa9a20a67d8aef685f5845715794d73

    SHA256

    6af6e64202cb3703d3b054d33d7cea6514bd583a07b81148dddc82194df830e8

    SHA512

    d016e4dc26a3593aba3ab036ded8f70e4a3ded1af7ab965d2d03d4df98ad8b7083dd56e5f66148f1ba233f292f20f9693138e522ece2d0ee3d4aaa39eac2bb73

    Download Submit

  • C:\Windows\vanpws.exe
    Filesize

    135KB

    MD5

    3b4435c492862dbcbe76824854c02600

    SHA1

    9582f5a6baa9a20a67d8aef685f5845715794d73

    SHA256

    6af6e64202cb3703d3b054d33d7cea6514bd583a07b81148dddc82194df830e8

    SHA512

    d016e4dc26a3593aba3ab036ded8f70e4a3ded1af7ab965d2d03d4df98ad8b7083dd56e5f66148f1ba233f292f20f9693138e522ece2d0ee3d4aaa39eac2bb73

    Download Submit

  • memory/4136-8-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4136-11-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4136-10-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4136-12-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4136-14-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4544-0-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4544-3-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4544-4-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4544-2-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4544-13-0x0000000010000000-0x0000000010036000-memory.dmp

    Filesize

    216KB

    Download