Overview

overview

10

Static

static

7

2a6f1aefbe...04.exe

windows7-x64

10

2a6f1aefbe...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    185s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a6f1aefbef5007e990364f6e9723704.exe

  • Size

    784KB

  • MD5

    2a6f1aefbef5007e990364f6e9723704

  • SHA1

    8f29bb3e321abb99b05cabd8ec34dcc9bad8ce98

  • SHA256

    7eb307e749e0493cad075443aa0b8da61bb41e58bd83851b3a1e70993bdf2db1

  • SHA512

    eb0898291afeec3a2bd5255e583e5a135d46d5af8b73e33410cc4efdc29453c865c804c98b11e369b847cc58c0522ffa26105af5a7cd7c9b54adb8a788811de8

  • SSDEEP

    12288:jt0VPFfsKAkrbPlXhHANUTNqmkgHANUTNB:SFksb1Amks

Score
10/10
gh0stratpersistenceratupx

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a6f1aefbef5007e990364f6e9723704.exe
    "C:\Users\Admin\AppData\Local\Temp\2a6f1aefbef5007e990364f6e9723704.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2876
    • \??\c:\Windows\(null)0.exe
      c:\Windows\(null)0.exe
      2⤵
      • Executes dropped EXE
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\(null)0.exe
    Filesize

    92KB

    MD5

    9b38dfc04cebb740300c5e7335ae536e

    SHA1

    c64c72a824108f92387ca74f7e7622fa41ae75f4

    SHA256

    140ea6c44e239d0163c02754bad2d3dec41fa12d6fe9f403d69a32a16133901f

    SHA512

    dec4d4f08f70fa05b708704a14ed17864e14d461d2f0987d9c30b55f2de97ae065c2613646e0a7da04c6c295a9e6b4d9bb92e328bcfc1a2c3673a5fb25616cd3

    Download Submit

  • C:\Windows\(null)0.exe
    Filesize

    384KB

    MD5

    b6efe48beb21a3d9d5c68d3ed3045ef8

    SHA1

    2b14c9375e82100f46448ee696367c3e8f3b0c0e

    SHA256

    9b2de18dd901c72baaf9d13958c8c7e95489cc0c888f4a872bb82d8b65918268

    SHA512

    d24debba2455df914a8c881df25555cbd13ac8e88e6793690a1ab349d6331ce5428f99e6a0621d95014e71f79ac7ea1a38f1d532ad8d988212dbb5d7698226a2

    Download Submit

  • memory/2712-11-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB

    Download

  • memory/2876-0-0x0000000000400000-0x00000000004F1000-memory.dmp

    Filesize

    964KB

    Download

  • memory/2876-9-0x00000000025B0000-0x00000000026A1000-memory.dmp

    Filesize

    964KB

    Download