Overview

overview

10

Static

static

10

0.zip

windows7-x64

1

0.zip

windows10-2004-x64

10

0.exe

windows7-x64

10

0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2024 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0.exe

  • Size

    71KB

  • MD5

    2a9d0d06d292a4cbbe4a95da4650ed54

  • SHA1

    44c32dfae9ac971c3651adbd82c821971a5400dc

  • SHA256

    09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c

  • SHA512

    ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d

  • SSDEEP

    1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0.exe
    "C:\Users\Admin\AppData\Local\Temp\0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2356
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Suspicious behavior: EnumeratesProcesses
    PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2806500.dll
    Filesize

    64KB

    MD5

    45dc749351fd65d71da89ca2ed2766cb

    SHA1

    e080faf81157b7f867cb56938c5e579c206af9b9

    SHA256

    391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25

    SHA512

    7e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74

    Download Submit
  • C:\Windows\FileName.jpg
    Filesize

    775KB

    MD5

    9069fb7a4b151f2c3551b272f98e31b8

    SHA1

    ab9f50640162aee61d1196358a38d34c8cd0ebee

    SHA256

    3b1c885910a92ab47f8f0f872c303c367ba350b6509c695a78fefb866741af76

    SHA512

    e0a2f6ae2f93e08b0cc95e54bc492569d2340d909a70f76e914fd0b0493b06c10a1dffec8e21ccc67d1da62a324b4d605f49ee74831169fe19d98208de7d0eff

    Download Submit
  • \??\c:\NT_Path.jpg
    Filesize

    54B

    MD5

    e64dac793cc7ee4aa530273d4c61ba02

    SHA1

    cea52ee017eda0ecf6fdeb18a03ae98fe0e83b27

    SHA256

    9a311ca461ada2ff181aa8f5558d7a5787da197e3256612ab634c2289590106a

    SHA512

    336fa0e7bd8360f47cf2381a16987b5d340b8ef8b60044dba16ff18b524346e788a3aed144122a55a5d760e86b281bec91f4a5e25671e722b595bfbe5b6b5963

    Download Submit
  • \??\c:\windows\filename.jpg
    Filesize

    727KB

    MD5

    45efc9f4c1c67fed229a6359facd8cd6

    SHA1

    82dc6ebedc29d8b8e64c10cdf75b0f10b562639a

    SHA256

    6046535516a3cdf6ef8812ddc552385150b49444a1d22edad53a4da8ab7db9c0

    SHA512

    1dfaf4662940db338f362752f9c51517295b5240a0109d2d1bda34503bacec891f5591ff1dd409c81918b1da84885cd67875cb02f6646821814b3ec0773efd0e

    Download Submit
  • memory/2356-1-0x0000000000400000-0x0000000000413000-memory.dmp
    Filesize

    76KB

    Download