Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
30/12/2023, 02:30
General
-
Target
0bb52eb14b2b30f81854c3114d7839dd.exe
-
Size
109KB
-
MD5
0bb52eb14b2b30f81854c3114d7839dd
-
SHA1
3cf6ed8efc69fb3bd3e787350b27c4325821a6c5
-
SHA256
a70b0835b024da06ae9deb6f667b81113f060241f145c2a71f1f9a2b838fb826
-
SHA512
5428e7713c24d90ee9fd59b61d97dacfe11f04ec926ae3ba2a1afe9c4a63076d5cdc39b4554e90376fccf91cb5b224856c5e6cd2ea7843c34fa708f977e8e74d
-
SSDEEP
3072:uus2d+oIsHPQ3sPWpXwhlSzmw89YRbJP7ose:uAd5XPssNazfmYRdPEse
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Drops file in Drivers directory 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb52eb14b2b30f81854c3114d7839dd.exe"C:\Users\Admin\AppData\Local\Temp\0bb52eb14b2b30f81854c3114d7839dd.exe"1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\0bb52eb14b2b30f81854c3114d7839dd.exe"2⤵
- Deletes itself
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD5ff4831f0b15125960b079b16a259375c
SHA152af7ac2e49460450ff76634120100988bd53b5c
SHA256c523f34c0ee60e11493a54e1220d97e2bcd0aac2b2e3d26f2a00e9662c5e1f8d
SHA51256fae33bb5e418e95fd03c4f3ad7275b7f1344fb224dbecb53497ce83bd71731877003dee18b7204d8adcaebfbc91133f90ac1a2754827ad74c5e99d7b2ea81b