Overview

overview

10

Static

static

10

085d54b29b...05.exe

windows7-x64

10

085d54b29b...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    085d54b29bcd7f20c10518ea08646605.exe

  • Size

    861KB

  • MD5

    085d54b29bcd7f20c10518ea08646605

  • SHA1

    32da061ce10cd0ad672fff2c97a1f76838b76668

  • SHA256

    e4087b2fcc934a05211165eb5f514d11f7e227bdf6a6cbdd3a65242c6440d3e9

  • SHA512

    becd2e072996baf1fb7b3375157de5cbd7488c46c249c3631b9988639a9998966fc18418247c76cb3cbe29dbae044423bd7d9f92ee2ff47c347b040d4fb78b08

  • SSDEEP

    12288:iM5jZKbBL3aKHx5r+TuxX+fWbwFBfdGmZ1vW7:iM5j8Z3aKHx5r+TuxX+IwffFZ1vW7

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\085d54b29bcd7f20c10518ea08646605.exe
    "C:\Users\Admin\AppData\Local\Temp\085d54b29bcd7f20c10518ea08646605.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2552
    • \??\c:\Windows\svchest432048043204801465662051.exe
      c:\Windows\svchest432048043204801465662051.exe
      2⤵
      • Executes dropped EXE
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchest432048043204801465662051.exe
    Filesize

    14KB

    MD5

    d1db0b2dd15e8bf0333bff88d0f9d3c5

    SHA1

    be2740a540ccae582e4b87df6f8ef97f32567f15

    SHA256

    6fff3e6027ffea7d2ee1611c8ca3d468dd0caa32bcaf8dc279f5fb87fa4269c8

    SHA512

    62b919a86d65fbd0811fabf58bec936c897fe44173a80de2e1936332d2c450f63dca49a703fe40f20ec6e035350313d075b569a3e6f1fa0e4f4593490c6bdcd8

    Download Submit

  • C:\Windows\svchest432048043204801465662051.exe
    Filesize

    7KB

    MD5

    7003576a04986f2cbbc4ddfa26b98047

    SHA1

    8561249426e1ec2e12725948f25fb84011a03f02

    SHA256

    21b7ddbf5c700fc1192c1ab5e8db4558ba447d63f57a1e3b29508e4d7af386e9

    SHA512

    25e35f55da776d7da8f1ae82d86615d0e775618c0e8b54fc186705aa824a274e940477ca3a3a697cef85b7ec4edfde626a0a07fbd76af29b748b15f93ff5d423

    Download Submit

  • \??\c:\Windows\svchest432048043204801465662051.exe
    Filesize

    17KB

    MD5

    9213cc8ada37394d456bbc0126f29e89

    SHA1

    9e010eb3829212bd144a7a50e869dcba24467af2

    SHA256

    63565cf53ac698029df4d3610b208f414ab0857be45ef442df6a39a10b28602e

    SHA512

    5f4102b4e4158e68e390edd264f70b46ce883d828993e04debc463ae45afe35a815c9799b88eb90872506ff20d02a3dc464b4c13d0ddf10b11969fec94a81369

    Download Submit