Overview

overview

10

Static

static

3

d602b58af0...1e.exe

windows7-x64

10

d602b58af0...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2023, 04:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e.exe

  • Size

    2.5MB

  • MD5

    7f1cf479b6aa478a890f97990ee79a51

  • SHA1

    e64846493a16d7785e4de4aa58d436ed7b419c2c

  • SHA256

    d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e

  • SHA512

    1475585b2a4b4662cd3e227c627e6f740b30198a102b6a9af7fa9f04d257f6603c6198fc101239016577c1e4ec8bb28dcc384bf788db7d5c6b58e4bffadd57b6

  • SSDEEP

    49152:Sd4n+zgsFd7Cgc/wgjyxzfV/3CEz4KJmg7657qwnu3glU7dTu:dCgs2KJmg7692OUE

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e.exe
    "C:\Users\Admin\AppData\Local\Temp\d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Public\VAxplorer\VAxplorer.exe
      "C:\Users\Public\VAxplorer\VAxplorer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2836

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\VAxplorer\MSVCP100.dll
          Filesize

          411KB

          MD5

          bc83108b18756547013ed443b8cdb31b

          SHA1

          79bcaad3714433e01c7f153b05b781f8d7cb318d

          SHA256

          b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

          SHA512

          6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

          Download Submit

        • C:\Users\Public\VAxplorer\MSVCR100.dll
          Filesize

          755KB

          MD5

          0e37fbfa79d349d672456923ec5fbbe3

          SHA1

          4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

          SHA256

          8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

          SHA512

          2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

          Download Submit

        • C:\Users\Public\VAxplorer\VAxplorer.dat
          Filesize

          61B

          MD5

          8ed7609fae6a7df701e1e791d67fadd2

          SHA1

          86ad5aef5e2e6f62ef424aab2fc5190175e4ed73

          SHA256

          378d92af812e7a684d52a9a7ccef391de413d27a4f7376078b02079e7b862b6c

          SHA512

          5dfa0c063d713bb7a014ff817ea1e99cf5818ba7df7b964a5e072d0cf90f314d4ce73978291092927b291b0276ae10a44b2c3f95e799378616b5fbd39e1c1fcd

          Download Submit

        • C:\Users\Public\VAxplorer\VAxplorer.exe
          Filesize

          678KB

          MD5

          89c753dfc41e368f0907d3b2ecf46279

          SHA1

          439e2649923476fbfe9e85a9f3eee0b201e6f1ba

          SHA256

          354f09fd303d2c339e288f4af5bb1017a5df8c97a67ed3ccd2b85f07d8700972

          SHA512

          dcc5a5336d8562e2a015aa377c12c8419a3b913e5d567afd08995ff54f67b42956b65ac90c375ad72d39431bbb857010984a0f28c9a2764b1c26c14c915d4f52

          Download Submit

        • C:\Users\Public\VAxplorer\donottrace.txt
          Filesize

          576KB

          MD5

          9a98c294c1154222b4c21a3864dba039

          SHA1

          66c107c565206ef27b330e08c5d6d67c18e336e5

          SHA256

          f69a5988f447e6977699761bec7e88032503a981dc12872cb5b688ce0473b400

          SHA512

          b76abb095ca814fefb1f8f742b92d9740b87956e0fe1111c860fad2385820b5e8874557026800246a4b75f10df72671d013517465a24dfe1c1f26ee3dfc0fe0a

          Download Submit

        • C:\Users\Public\VAxplorer\libcurl.dll
          Filesize

          558KB

          MD5

          81b0085bd2e701a3aa178d9e51fe3016

          SHA1

          7a2c2aec8d7a6a6a282f09b8f28883b51fe7a005

          SHA256

          0806be5c1993c9468bae252b5d241d45069c77332a8eb8b9a8b2150b1fe7ffea

          SHA512

          ee1a5fdabefc4ee86526a33c1b61f25d4d0e74b349fd2e994bdcee3ad33961eb1eb49b9793f8a968902ab6530d25158491747c627cdf33ed3573b9e957ce4971

          Download Submit

        • C:\Users\Public\VAxplorer\task.dat
          Filesize

          86B

          MD5

          5be0df210353fe909e869c4c90dded0b

          SHA1

          4b7b7bf5d10651745459f2af36d47dce65d26889

          SHA256

          c57b13148534ef6b221e9de523940c18035e6a11eb5376052421b08688ab8a01

          SHA512

          658ff889ab286b2b8185e1bec839b6d2f743898fd7749452af87f12b7b2424a98c9dc758674546ece66fecf9d264567d33d5606fc153b151b2cb756252475c8c

          Download Submit

        • \Users\Public\VAxplorer\libcurl.dll
          Filesize

          558KB

          MD5

          81b0085bd2e701a3aa178d9e51fe3016

          SHA1

          7a2c2aec8d7a6a6a282f09b8f28883b51fe7a005

          SHA256

          0806be5c1993c9468bae252b5d241d45069c77332a8eb8b9a8b2150b1fe7ffea

          SHA512

          ee1a5fdabefc4ee86526a33c1b61f25d4d0e74b349fd2e994bdcee3ad33961eb1eb49b9793f8a968902ab6530d25158491747c627cdf33ed3573b9e957ce4971

          Download Submit

        • \Users\Public\VAxplorer\msvcp100.dll
          Filesize

          411KB

          MD5

          bc83108b18756547013ed443b8cdb31b

          SHA1

          79bcaad3714433e01c7f153b05b781f8d7cb318d

          SHA256

          b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

          SHA512

          6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

          Download Submit

        • \Users\Public\VAxplorer\msvcr100.dll
          Filesize

          755KB

          MD5

          0e37fbfa79d349d672456923ec5fbbe3

          SHA1

          4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

          SHA256

          8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

          SHA512

          2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

          Download Submit

        • memory/2836-28-0x0000000000970000-0x0000000000A06000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2836-29-0x0000000000970000-0x0000000000A06000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2836-31-0x00000000025B0000-0x000000000262B000-memory.dmp

          Filesize

          492KB

          Download

        • memory/2836-60-0x0000000000970000-0x0000000000A06000-memory.dmp

          Filesize

          600KB

          Download