Overview

overview

10

Static

static

10

04f4b4effd...58.exe

windows7-x64

7

04f4b4effd...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 04:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04f4b4effdc1391c2c894b97db7ea058.exe

  • Size

    665KB

  • MD5

    04f4b4effdc1391c2c894b97db7ea058

  • SHA1

    1660bc1c8383123225b1b700fb0ea565abe4c98b

  • SHA256

    4590fac601030d026b9ed024e25504f798becdac93f2a910ee8003b60d26f735

  • SHA512

    59c6b8c78dc6ef29918d55ab32278e9161d1af76702588a5a7096604dcf96fe72f627558a1f2e5ddf7b2948b852e978c148452e4c87233fc987f5153f6b5f74f

  • SSDEEP

    12288:3/eC0vZVQQxfnr+TK7r79/JenWAG36ATphjM5BvF:3/XwVQQxfnr+TK7r79/Je3GqArjM5BvF

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04f4b4effdc1391c2c894b97db7ea058.exe
    "C:\Users\Admin\AppData\Local\Temp\04f4b4effdc1391c2c894b97db7ea058.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:228
    • \??\c:\Windows\svchest425112042511200.exe
      c:\Windows\svchest425112042511200.exe
      2⤵
      • Executes dropped EXE
      PID:3864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchest425112042511200.exe
    Filesize

    381KB

    MD5

    941679199da553936d2cbf3a84c84cba

    SHA1

    909169b6e8ca5028ff3baa527e2d4bbd2d685efa

    SHA256

    0d972db047bf510c775e05db48a8ff26716d5af00b274bce434e50d8473bf0a3

    SHA512

    fb0598755f9dda9b742d0f97f3b7265c723d82ce78956fa30bc97d7c2a75395c8607e92711af37abbfadeabdaa81b12f5dc27ae4cd5e8f6ead8e48ac64a19769

    Download Submit

  • C:\Windows\svchest425112042511200.exe
    Filesize

    384KB

    MD5

    3c2d8e8ae51aebd094bc53d7aaad16d1

    SHA1

    a8c909878f50cb4645d70068a1bc08c719c7b995

    SHA256

    dda88d194db98836925dcba39d36ca195dc6087f3f071c60c6fb1e7778b4f866

    SHA512

    3c4677976f7b9207be9dc7ca632cfc0320f0f83a07d049a21f5e84907da68128168d4e8ecc34ee2e4fc165fdb1b9c4251ac03484d7de2b666778655992436dfa

    Download Submit

  • \??\c:\Windows\svchest425112042511200.exe
    Filesize

    92KB

    MD5

    e36745822a2ca729ad784ee4bf67aed2

    SHA1

    66266fd56e108944731b3685b052d81aec5c328a

    SHA256

    0da349ce43088775d93fa06275e0dd515971e783ed100d8472e7bab36f86500c

    SHA512

    7427a6b0c9cd265262565e951fc4bee10dda6d3bd4c0bb8739df058171deae6818dc22241f2267165028586c0ffb47a7a982a4fc2311410727693f34f2e036ae

    Download Submit