Overview

overview

10

Static

static

7

Ghost Cosm...um.exe

windows11-21h2-x64

10

Resubmissions

09-12-2023 15:55

231209-tcxyxahcaj 10

Analysis

  • max time kernel
    85s
  • max time network
    89s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231128-en
  • resource tags

    arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-12-2023 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ghost Cosmetics Premium.exe

  • Size

    16.3MB

  • MD5

    5c55e14e94c0e65e5e5965a2a45cd6d7

  • SHA1

    e646d601e67b80e98412efb254c6f9230b711823

  • SHA256

    d3a0ed9c610f5222c36c47cbcf31586ece30fcc4e1ef758d9ea40e40650a2e8d

  • SHA512

    585e8b54e2f7e9cbb35a2a98adc2b520d9e9a947f708e7b67c739b44813660fa3f4964bfde33f29f146e128c060260d6eded3464bf9b3ec1ec274b9ce1823263

  • SSDEEP

    393216:RbGRYyAZtRPGh6YDhim6uLTi093Fq6zph+LvvLUqW01fiO:Rts6YDhiR0TD91qkph+HR

Score
10/10
agentteslakeyloggerspywarestealertrojanvmprotect

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ghost Cosmetics Premium.exe
    "C:\Users\Admin\AppData\Local\Temp\Ghost Cosmetics Premium.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1992-0-0x00007FF9D16F0000-0x00007FF9D21B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1992-1-0x000002262DD60000-0x000002262F606000-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/1992-2-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-3-0x0000022649D30000-0x0000022649F26000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1992-4-0x000002264A030000-0x000002264A17E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1992-5-0x000002262FAB0000-0x000002262FAC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1992-6-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-7-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-8-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-9-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-10-0x000002264C6F0000-0x000002264C702000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1992-11-0x000002264C8B0000-0x000002264C8EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1992-12-0x00007FF9D16F0000-0x00007FF9D21B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1992-13-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-14-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-15-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-16-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1992-17-0x000002262FA30000-0x000002262FA40000-memory.dmp

    Filesize

    64KB

    Download