Overview

overview

10

Static

static

7

0fab6d7dcb...dc.exe

windows7-x64

10

0fab6d7dcb...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fab6d7dcb1040646df8e0c303a1b4dc.exe

  • Size

    919KB

  • MD5

    0fab6d7dcb1040646df8e0c303a1b4dc

  • SHA1

    457166a4559aeb6f41ce4f252ce6a834e2d05401

  • SHA256

    58f77cb4ca9427a9cbf8570d17b260621be83d729d0cb34e1e00789150032c1a

  • SHA512

    766b5cc585222120968bf41217bc8edf5e26195c60be8269d872edf25d9f9092a89d100e651807ab853aa3871f259108b08d15fd1aeb108b3c6ee1dc7a0d82b7

  • SSDEEP

    12288:jt0VPFfsKAkrbPl7cHANUTNhG2HANUTN+4j:SFksbMGr4j

Score
10/10
gh0stratpersistenceratupx

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fab6d7dcb1040646df8e0c303a1b4dc.exe
    "C:\Users\Admin\AppData\Local\Temp\0fab6d7dcb1040646df8e0c303a1b4dc.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1944
    • \??\c:\Windows\(null)0.exe
      c:\Windows\(null)0.exe
      2⤵
      • Executes dropped EXE
      PID:1600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\(null)0.exe
    Filesize

    919KB

    MD5

    0fab6d7dcb1040646df8e0c303a1b4dc

    SHA1

    457166a4559aeb6f41ce4f252ce6a834e2d05401

    SHA256

    58f77cb4ca9427a9cbf8570d17b260621be83d729d0cb34e1e00789150032c1a

    SHA512

    766b5cc585222120968bf41217bc8edf5e26195c60be8269d872edf25d9f9092a89d100e651807ab853aa3871f259108b08d15fd1aeb108b3c6ee1dc7a0d82b7

    Download Submit

  • C:\Windows\(null)0.exe
    Filesize

    846KB

    MD5

    b9784a0ef820c697bf98cd55ab5a6e74

    SHA1

    45a61699786f5fabf075a44979a6b06339907dd8

    SHA256

    ab2aef6a6b8af79578da234ebc73553513a562c9a3c4c7dcfc3ae37e84d41ffe

    SHA512

    a03f90d8fb9cffa206a8d9d88313d1d73e920b880808f4a45eeaca281a96ffde768afb9a722cc5557f695785b5de4760f2cebc6e53ebd6073b1df97e45e99b99

    Download Submit

  • memory/1600-10-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB

    Download

  • memory/1944-0-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB

    Download

  • memory/1944-9-0x0000000002610000-0x0000000002701000-memory.dmp

    Filesize

    964KB

    Download

  • memory/1944-12-0x0000000002610000-0x0000000002701000-memory.dmp

    Filesize

    964KB

    Download