Overview

overview

10

Static

static

3

ae0e44afbf...a4.exe

windows7-x64

10

ae0e44afbf...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2024 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe

  • Size

    600KB

  • MD5

    5139ade75af37250e97b19f76a532621

  • SHA1

    94e76438bca9b7786e917b344f7cce319eb53f34

  • SHA256

    ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4

  • SHA512

    1ef0e4c8f4ec46146c2de88b40d25ba43ac76437de81458cffae87fa5a8030b4176a3d4e59470066318d8fcf9cb0aeeebda6c4c9d51b721af5dbeca22c6e8c7a

  • SSDEEP

    6144:8PIP+niD5Gcc8419jmjA3c8lDPj2DLxrj61wW1wNE1wUzA:8P3iw8yaA3c8VGxvmH44n

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe
    "C:\Users\Admin\AppData\Local\Temp\ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AE0E44~1.EXE > nul
      2⤵
        PID:2588
    • C:\windows\Gwcggu.com
      C:\windows\Gwcggu.com -auto
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\windows\Gwcggu.com
        C:\windows\Gwcggu.com -acsi
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1972

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Gwcggu.com
      Filesize

      600KB

      MD5

      5139ade75af37250e97b19f76a532621

      SHA1

      94e76438bca9b7786e917b344f7cce319eb53f34

      SHA256

      ae0e44afbfd5f450f7a5f0dae68869163d469cf56c836b7c4f2f7866ccb1b5a4

      SHA512

      1ef0e4c8f4ec46146c2de88b40d25ba43ac76437de81458cffae87fa5a8030b4176a3d4e59470066318d8fcf9cb0aeeebda6c4c9d51b721af5dbeca22c6e8c7a

      Download Submit

    • C:\input.txt
      Filesize

      4B

      MD5

      250413d2982f1f83aa62a3a323cd2a87

      SHA1

      3c24f257fbe14b58141a0ab7dbd5484c1d561f2c

      SHA256

      54a462dce3c1abb2b43ba63a42bc391fa5561bfeafe737bd1f4845b902ffbfe3

      SHA512

      e62538b99ca820e4ef2c24da6dc2afbe963c6793f0f7a93dbc231bdf44b77baa288d4ed18e8b05a3e5446454029d127fa54ead1c5fd9d7ff91fa21006e12f699

      Download Submit

    • memory/1972-20-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2452-13-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/4860-3-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download