Overview

overview

10

Static

static

10

5f9ea446bd...81.exe

windows7-x64

10

5f9ea446bd...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f9ea446bd8a6ba62d57fcc99a365381.exe

  • Size

    984KB

  • MD5

    5f9ea446bd8a6ba62d57fcc99a365381

  • SHA1

    6b082fe198884e0109bc4239f668ebc6bef913b7

  • SHA256

    e1899f8496c763f95eddc25b9cdbc6687211d24bdf57faff3db9a952ff6ccba2

  • SHA512

    5297072739fa70542527fc2d8527ea684ae4ff66e411fe7ac2f0e747c7b34ee05c109f7e5d848309777ad102ed2ccf5c5d6ce90491c1e9e9943bc145e12bac01

  • SSDEEP

    12288:iM5jZKbBL3aKHx5r+TuxX+fWbwFBfdGmZZ4:iM5j8Z3aKHx5r+TuxX+IwffFZZ4

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f9ea446bd8a6ba62d57fcc99a365381.exe
    "C:\Users\Admin\AppData\Local\Temp\5f9ea446bd8a6ba62d57fcc99a365381.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3448
    • \??\c:\Windows\svchest432048043204801465662051.exe
      c:\Windows\svchest432048043204801465662051.exe
      2⤵
      • Executes dropped EXE
      PID:2280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchest432048043204801465662051.exe
    Filesize

    40KB

    MD5

    3cff53bad6cd17dadea6d07d59b0a04b

    SHA1

    3886877e6a262c708725a20df93fa282a9dc3e5b

    SHA256

    da2b00e3d0a81ea088fadd36ea0e20bab93d38cbf1af1f520ee7319e928882f4

    SHA512

    da070ecaa3d9f8cec0bcd7ce2d1b160e2393a36f63e80f0924faa7bdeffa7149484386897be6c854724bb074d22e94ab6b31c0bcdc5cc136c6f9f0da9afaebd3

    Download Submit

  • C:\Windows\svchest432048043204801465662051.exe
    Filesize

    1KB

    MD5

    83d31537bae0f26725fdfc0803aa42c7

    SHA1

    436acb953959ad81c1144b5ee534ba1d68b6be89

    SHA256

    82d81daa1833fff2a46d5ce0d439cd746e0c196e48f7a96a8f60166e8a6f23e2

    SHA512

    14d48f92e6ee84f57d2385ebce592b2c49c05f305eed069fffb1e6fd132f27104363bf4906ec03c9ada8d382a1d2828768d8c45e08854b913e22ddeafcd626fd

    Download Submit

  • \??\c:\Windows\svchest432048043204801465662051.exe
    Filesize

    11KB

    MD5

    b9b72562493f945b6e20c482d946efed

    SHA1

    47b2e70ba3c605e278abc51ed95a00839974c22a

    SHA256

    4a6b9d311385618d2ffac52998d5b7df3b82eb7ebf26ee9d6b1eb6d8b3f324b3

    SHA512

    ab482fb999d8f244093f67c3484c42b6296313075eecce2ddf2074a80342f4774cb2acc464205b3f04df92729a1512d01a2c91705a8f08591ccc18bb053d34fe

    Download Submit