Overview

overview

10

Static

static

10

02593f6e8f...42.exe

windows7-x64

10

02593f6e8f...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02593f6e8fc0aa95f4c0f6d8cc0bd442.exe

  • Size

    496KB

  • MD5

    02593f6e8fc0aa95f4c0f6d8cc0bd442

  • SHA1

    a61e49fb9f4b1ed2e6a05e0b523dbe365eeeead7

  • SHA256

    3b9cdc6329782a396064b6b4d8103caf3ca185167acc016d9eb78dc0e86ed9f3

  • SHA512

    38577ab8d79429efc398fe47af96f11010efaad6b2a4a146cd513843bcfc2e2c907941b5c1cfdb21200f80285b696664e8df2fd65350fdd86955cae4db16e0da

  • SSDEEP

    12288:lzgZVQQxfnr+TK7r79/JctWWwCKOOEwYM5IjsOC:leVQQxfnr+TK7r79/JcTw5OoYM5IjDC

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02593f6e8fc0aa95f4c0f6d8cc0bd442.exe
    "C:\Users\Admin\AppData\Local\Temp\02593f6e8fc0aa95f4c0f6d8cc0bd442.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1944
    • \??\c:\Windows\svchest000.exe
      c:\Windows\svchest000.exe
      2⤵
      • Executes dropped EXE
      PID:344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchest000.exe
    Filesize

    42KB

    MD5

    6bee1250fe597202da643922e6f99af4

    SHA1

    f018ee68aa7eefe905a33fb58e75f63c4d67a27c

    SHA256

    e71c2913cd76ea0b1aaffd97ebc559cfcb38944fb23f497bd6b3e117e4a0e918

    SHA512

    f5f0d1ce35003f95b0aeed3139cddb7712f6f2b05b59ec53dc3c74bd9679ad0872c763252c7d2dde2e4febea729ff278d6572d5d91c9824922474b17d25bb9b0

    Download Submit

  • C:\Windows\svchest000.exe
    Filesize

    30KB

    MD5

    081ed828a064faa07acb142c76ff8bf7

    SHA1

    8d3f9db0a7dca756befea6cbe3b6fdf5a65a2606

    SHA256

    659605d131d8d1714fbb179d1e697be5eb02e82f9607ff018edc7420e1105b0a

    SHA512

    e5d90a2d87c98d9f52256b00a5845465633c5c4fcd8e5b64a236ee086d85bd506fe6abcc29c1bc81ed360dd7a972a7e33a81462a919c4f2b4fe5adbd9a610996

    Download Submit