Overview

overview

10

Static

static

10

04633c60e3...d0.exe

windows7-x64

10

04633c60e3...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2023 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04633c60e3edc0fec19defb750e2cfd0.exe

  • Size

    920KB

  • MD5

    04633c60e3edc0fec19defb750e2cfd0

  • SHA1

    050f30070bec6d1287b698b2727770d8a94d0b8e

  • SHA256

    e22b01b3e9fbf507b295b4eaf636cf2dac724e2463567d695e31032ff0898ed1

  • SHA512

    194251d8490e876f3919bbcc0d89edd3b1b6da655b1552e9cdb2e4fcae613d3a4e60f9f788a83f15e8a874c14cc0554b3087f695677c115df7ce027568a1c7f0

  • SSDEEP

    12288:iM5jZKbBL3aKHx5r+TuxX+fWbwFBfdGmZ1vqT:iM5j8Z3aKHx5r+TuxX+IwffFZ1vqT

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04633c60e3edc0fec19defb750e2cfd0.exe
    "C:\Users\Admin\AppData\Local\Temp\04633c60e3edc0fec19defb750e2cfd0.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:5104
    • \??\c:\Windows\svchest432048043204801465662051.exe
      c:\Windows\svchest432048043204801465662051.exe
      2⤵
      • Executes dropped EXE
      PID:4872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchest432048043204801465662051.exe
    Filesize

    200KB

    MD5

    0d0888c016a06a7793da0fff680ad052

    SHA1

    fb8b95033b9d445d2002e68e0e3e089e0b8b17c5

    SHA256

    16ed6749c7059d21d16d7d24c171b6ac2818f7ee77507c701f4859fbd0b3de9c

    SHA512

    06c52002eaa5ec741d08087dd7d9fdd4c3d9f8f259d1420703ec4d871c9479faf561fe7c84b76050f8ebd5c3aaeffd56aab332423fe17579fdd1c51a85e4eb19

    Download Submit

  • C:\Windows\svchest432048043204801465662051.exe
    Filesize

    288KB

    MD5

    ad4d237e9036f7a4a0a933b0ae4b0e43

    SHA1

    aae262b767413eb88370a91af14f98179fbb9aa9

    SHA256

    af7e94718971e69d658cb772e8fe1065ed8c2bb49d42d1957eed4d850dfc00b2

    SHA512

    7ea387176cabb7bccdb47dfed72c96946522f6ff86975f1b480abe08c22037632ec7208b588720d89391ef8a769b1c1e0e011973bbf424e1d7a86b4faf569863

    Download Submit

  • \??\c:\Windows\svchest432048043204801465662051.exe
    Filesize

    243KB

    MD5

    a0235a236558927f5eaa22e2adef0bc1

    SHA1

    8a162989a4e6546601dcf3a7c5ced8d236813112

    SHA256

    1284dfaca7cc285df88c8b59a77850e1c515b92c18fdbe893ce8ef8fdf8ca7e5

    SHA512

    00749c582383a5687e52fdd148a4ff01f1c3875f600b2523e6d9260a18149b52c74b66f244799d5802b4b3f8df8d047e0d39dc1483e6856a23092da52c545635

    Download Submit