Overview

overview

10

Static

static

10

7bda8e49bb...c0.exe

windows7-x64

10

7bda8e49bb...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2024 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bda8e49bb86d513c45a2ae525045dc0.exe

  • Size

    114KB

  • MD5

    7bda8e49bb86d513c45a2ae525045dc0

  • SHA1

    1ad492c50bcb3cf8f667506157fe1df4380e9018

  • SHA256

    5423dd26a40dacfd4bec46efbe552356765c07bca38e923e0849b236b4423d69

  • SHA512

    1175c38c4727a2bca792ded0286b3bef22a51b2ad5467b7f00196d487e24e5c21e1198fa6a84bde875a9e28506036204eb751a5abef538a3448057c9ac4890b6

  • SSDEEP

    3072:sjHWdGVxibiFahBQizwucbXBIkR5wLG4:s/eb+Kk/bXBIkXwL

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bda8e49bb86d513c45a2ae525045dc0.exe
    "C:\Users\Admin\AppData\Local\Temp\7bda8e49bb86d513c45a2ae525045dc0.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:376
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\main.jpg
    Filesize

    720KB

    MD5

    393b90fdba879f9ba16fe7f0e6a9ea13

    SHA1

    849975d8c9c314ad568c14731e49db133e0f6d3e

    SHA256

    ee54b3b3572b9bc98611aa72c28ce5db0257953e0e089a00d73645b083df8884

    SHA512

    80b57576b11e9049d4c7dcaa3f986648bb7b124c96dfca6be57eecc5c17c02b6f2ee71bc4b07dab12bd672edc257e0d9f342d6bfc42b30f7681692d6692c8f2f

    Download Submit

  • C:\Users\temp2.gif
    Filesize

    105KB

    MD5

    c9cdb35c515215aac0b5182e4372ac47

    SHA1

    3a6f12c299795a028f4ed4fef60b970046de4d1b

    SHA256

    206c9e8852ace8666e0b8756d7a4ad8fba397573e53f4b57ecd1d35e6d686bec

    SHA512

    c27aa0e52f88fb99cdc3b44eeee1d72e67401ab5d8e4bdd9e488956aaf02885c1dbfe02e91c14e3491886e99e564889e9fe9982fa110deb3e14841e3f062e4b9

    Download Submit

  • \??\c:\program files (x86)\common files\main.jpg
    Filesize

    4.8MB

    MD5

    930a2bcad14e1256cf27aa967cc1c2a0

    SHA1

    836881f8e6a28105210a39a11c5dd029d08e3a99

    SHA256

    0fbb62d27c30cc4cfc5001ec7f066f7cebb55f55739ad851792772318c1a88c9

    SHA512

    22ff7e9b440b3ee1ea5fd3252c833ecf1f058328739736fbb987e1de0967a9e7e5d26dbe2f0ff8eced25ff3b9cc351d7d7a437fcd6873973fc8c2463ddbf18b6

    Download Submit