Overview

overview

10

Static

static

3

8c0f2e958f...98.exe

windows7-x64

10

8c0f2e958f...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/02/2024, 08:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8c0f2e958f55223c22e34d27c634e5e6832015d7261e04ac343a46a34840d798.exe

  • Size

    396KB

  • MD5

    7e55fa38174e4f18522aa08011c65783

  • SHA1

    a945e1df752a25725798d42b55ef44c36b6d9cc2

  • SHA256

    8c0f2e958f55223c22e34d27c634e5e6832015d7261e04ac343a46a34840d798

  • SHA512

    5fee0fd150c176649805e53f42a4a3b472604c950d285ba00925bca6ca859ea034c6ebf2dfb66bc7d8c5cf4d8c9839cb185ba7dfb16008878400da8793fe6bc0

  • SSDEEP

    3072:q7K/yLrQbWaR5Qax8cytUTlZiftPRAqE3PC8tSoUSZQWKMK8iA:qqyLEbWaR5Ccy4ifXc3PXS/SZjK18iA

Score
10/10
gh0stratrat

Malware Config

Extracted

Family

gh0strat

C2

156.236.72.163

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c0f2e958f55223c22e34d27c634e5e6832015d7261e04ac343a46a34840d798.exe
    "C:\Users\Admin\AppData\Local\Temp\8c0f2e958f55223c22e34d27c634e5e6832015d7261e04ac343a46a34840d798.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    PID:2448
  • C:\Program Files (x86)\Microsoft Geigkg\Bihvfgk.exe
    "C:\Program Files (x86)\Microsoft Geigkg\Bihvfgk.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Program Files (x86)\Microsoft Geigkg\Bihvfgk.exe
      "C:\Program Files (x86)\Microsoft Geigkg\Bihvfgk.exe" Win7
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2820

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft Geigkg\Bihvfgk.exe
          Filesize

          1.4MB

          MD5

          9bd005434c2473f2a4adc2a88165c171

          SHA1

          de595a8fadebea8f5ede61e73f16bc9318f73b49

          SHA256

          65ef3271ffbc76d3fc0f519186bbd8657f65337aa6720dd3aed9d83de3b71826

          SHA512

          e24d5b5947598cb394b906bf66301f4df5fa937ab635de224895e3cf7be81697bbdc3d3447317e229591d343901141e62d21e586f53e36bfdbd0f4ad42a92495

          Download Submit

        • memory/2448-0-0x0000000010000000-0x0000000010015000-memory.dmp

          Filesize

          84KB

          Download