Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
31-12-2023 02:06
General
-
Target
23e43d7a5d3e5422e7369143f6b0c461.exe
-
Size
916KB
-
MD5
23e43d7a5d3e5422e7369143f6b0c461
-
SHA1
fab82ebd489b3b6e229f38252c248536f6116a68
-
SHA256
78c306a02f8a7e8a0584243301d15aaa311194e8d5c90c33da39951e716e3d3a
-
SHA512
a9a99b49d5a43a3817fefb59da91491eadaf3ec27c932458f5c5361590a40e21b18a4d5e926b56fc37aa4b27c1f5f01e83f3a8b0907c1001368f7be2803beca6
-
SSDEEP
12288:iM5jZKbBL3aKHx5r+TuxX+fWbwFBfdGmZRJ:iM5j8Z3aKHx5r+TuxX+IwffFZRJ
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e43d7a5d3e5422e7369143f6b0c461.exe"C:\Users\Admin\AppData\Local\Temp\23e43d7a5d3e5422e7369143f6b0c461.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\Windows\svchest432048043204801465662051.exec:\Windows\svchest432048043204801465662051.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
916KB
MD523e43d7a5d3e5422e7369143f6b0c461
SHA1fab82ebd489b3b6e229f38252c248536f6116a68
SHA25678c306a02f8a7e8a0584243301d15aaa311194e8d5c90c33da39951e716e3d3a
SHA512a9a99b49d5a43a3817fefb59da91491eadaf3ec27c932458f5c5361590a40e21b18a4d5e926b56fc37aa4b27c1f5f01e83f3a8b0907c1001368f7be2803beca6
-
Filesize
93KB
MD592dda9340ff65a193004ae5de0770969
SHA1c42bbcca5d6d31ed3c805d0bfc3819f3cc830a6e
SHA256868e15a7a549cc6a6429739eba07f8a29239f87c2c93fa716c933729cbf04546
SHA5127a24a129378174e01a40e9e7066fd5fb7d4071f3fca27f118ce05ea4fd339f7663a43148c4925c9935d17590dc0cce4ef884061f71992827fc9b5ec3c8dabc55