Overview

overview

10

Static

static

7

b75b9b0e09...1e.exe

windows7-x64

10

b75b9b0e09...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2024, 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b75b9b0e09e55b3d020a0e4d80ee1ed05c490f4024233f806243fa0768d45f1e.exe

  • Size

    2.1MB

  • MD5

    08f9669972bf8032a8fc606cc389cb99

  • SHA1

    6b44cb1b32be04f132e78e199e9d616f3cad6338

  • SHA256

    b75b9b0e09e55b3d020a0e4d80ee1ed05c490f4024233f806243fa0768d45f1e

  • SHA512

    1014b886d6e1caa3092399697a4aa0e9e1c0e37e246210b8534e1aec480d0327bad02ab932866b55fb7740c12a7a7c5755c88a23ff7a708abd1d6ca0779c6ef0

  • SSDEEP

    3072:YyIpG2/iDbYACgYf+74wtCCVSIOObQ+ju8k+8R8iVt:9IposJghsgCCVbkz8iVt

Score
10/10
gh0stratratupx

Malware Config

Extracted

Family

gh0strat

C2

101.43.78.212

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b75b9b0e09e55b3d020a0e4d80ee1ed05c490f4024233f806243fa0768d45f1e.exe
    "C:\Users\Admin\AppData\Local\Temp\b75b9b0e09e55b3d020a0e4d80ee1ed05c490f4024233f806243fa0768d45f1e.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3012
  • C:\Program Files (x86)\Microsoft Ooewom\Qovrzmo.exe
    "C:\Program Files (x86)\Microsoft Ooewom\Qovrzmo.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Program Files (x86)\Microsoft Ooewom\Qovrzmo.exe
      "C:\Program Files (x86)\Microsoft Ooewom\Qovrzmo.exe" Win7
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Ooewom\Qovrzmo.exe
    Filesize

    2.1MB

    MD5

    08f9669972bf8032a8fc606cc389cb99

    SHA1

    6b44cb1b32be04f132e78e199e9d616f3cad6338

    SHA256

    b75b9b0e09e55b3d020a0e4d80ee1ed05c490f4024233f806243fa0768d45f1e

    SHA512

    1014b886d6e1caa3092399697a4aa0e9e1c0e37e246210b8534e1aec480d0327bad02ab932866b55fb7740c12a7a7c5755c88a23ff7a708abd1d6ca0779c6ef0

    Download Submit

  • C:\Program Files (x86)\Microsoft Ooewom\Qovrzmo.exe
    Filesize

    1.2MB

    MD5

    28de003ffb213cae51d7a60cf91fbb70

    SHA1

    bbe92957de66e8e39e4652d1e9d9c778e70c8793

    SHA256

    cd0c66292faea50d58cb6f484db935931f8b991dfabfe5d210a8dc5d63b40d1e

    SHA512

    1645034957e67e8804f8e900c5602f33fdbab67c1c4b7a265efa7b3c464d706ea9f2a34517f47b8f1b808b83c2263d925498f2dc2dad07ffe2cccd0c6f9bd3f5

    Download Submit

  • memory/2032-15-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2032-19-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2204-8-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/2204-14-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3012-0-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/3012-1-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3012-20-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

    Download