Overview

overview

10

Static

static

3

fd76f33d9f...9e.exe

windows7-x64

10

fd76f33d9f...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 22:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd76f33d9fd077d0ead2ce303309d59e.exe

  • Size

    384KB

  • MD5

    fd76f33d9fd077d0ead2ce303309d59e

  • SHA1

    f8cea96f72446fa361ac0d8d4d1f3ef91ecea82b

  • SHA256

    e06ef1e18c7b7b258af077b8e7e8978357d62c48775dd8c2e73bef546c3f3299

  • SHA512

    d1794636190433c59633be69c010ccf5e699dfdff0f8aeaf15457017397cc20401d02646690f028cfc5abf93bb238d410368021ee639f6ae24c0a27f1d10c49a

  • SSDEEP

    12288:KPdK4bgeK8VL5TKjb31wgxllhz7G60i2qvyOW:KPBjK8VlYb3P9Fa

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 10 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd76f33d9fd077d0ead2ce303309d59e.exe
    "C:\Users\Admin\AppData\Local\Temp\fd76f33d9fd077d0ead2ce303309d59e.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2856
    • \??\c:\Windows\svchest000.exe
      c:\Windows\svchest000.exe
      2⤵
      • Executes dropped EXE
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchest000.exe
    Filesize

    384KB

    MD5

    fd76f33d9fd077d0ead2ce303309d59e

    SHA1

    f8cea96f72446fa361ac0d8d4d1f3ef91ecea82b

    SHA256

    e06ef1e18c7b7b258af077b8e7e8978357d62c48775dd8c2e73bef546c3f3299

    SHA512

    d1794636190433c59633be69c010ccf5e699dfdff0f8aeaf15457017397cc20401d02646690f028cfc5abf93bb238d410368021ee639f6ae24c0a27f1d10c49a

    Download Submit

  • memory/2644-28-0x00000000002C0000-0x00000000002FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2644-20-0x00000000002C0000-0x00000000002FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2644-18-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2644-19-0x00000000002C0000-0x00000000002FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2644-30-0x00000000003A0000-0x00000000003A3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2644-29-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2644-27-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2644-26-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2644-21-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2644-24-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2644-22-0x0000000000320000-0x0000000000322000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2644-23-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-6-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-3-0x00000000002C0000-0x00000000002C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2856-35-0x00000000028A0000-0x00000000029EE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-1-0x00000000002E0000-0x000000000031E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2856-11-0x0000000000380000-0x0000000000383000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2856-10-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-9-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-33-0x00000000002E0000-0x000000000031E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2856-0-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-7-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-8-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-4-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-25-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-5-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2856-34-0x0000000000400000-0x000000000054E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2856-2-0x00000000002E0000-0x000000000031E000-memory.dmp

    Filesize

    248KB

    Download