Overview

overview

10

Static

static

3

ab6fbe2eff...29.exe

windows7-x64

10

ab6fbe2eff...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 08:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ab6fbe2eff308576ed8eb2f327b46a29.exe

  • Size

    46KB

  • MD5

    ab6fbe2eff308576ed8eb2f327b46a29

  • SHA1

    7601761f59ef1fd6fb02467f65a0ef45ffd773dd

  • SHA256

    9e5ce4ec56575b7587d4c76a837d5aca35164567b605f4f28b327ff9a175de4b

  • SHA512

    b819c41961021516781ecdbe1c8b6a038cca48a05b920e33a6fdc7cf7c0868bbd2e1f77ab46ffa00b1a4157ad890b0821d9be1d66b41e2d423585e5c5a33e204

  • SSDEEP

    768:ZpjjehW35rlJdP0hKteKfV7EJKF4uOLv3+J+az3eiq1dZSEDYHSJ/69dp:ZpjjdJRJChMeKfRJQhy3hq8EkHa69H

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Drops file in Drivers directory 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab6fbe2eff308576ed8eb2f327b46a29.exe
    "C:\Users\Admin\AppData\Local\Temp\ab6fbe2eff308576ed8eb2f327b46a29.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:3184
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
    1⤵
    • Drops file in Drivers directory
    • Deletes itself
    • Loads dropped DLL
    PID:2676

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\240597578_ex.tmp
          Filesize

          93KB

          MD5

          a559936e72e1c8bbf669fbf21061431f

          SHA1

          7431e098b17f5438ce0f482cada87163fcc29518

          SHA256

          f3bd2d7ded79d0bb83189c3e9d8f6400305f9761c76cb02eb28a048ce20fe341

          SHA512

          42509b2cc233a67a252d406ef72a705c23d619f8021fb05303a04d81a4ee0c12f83b753f76a8f2906d0e055ce6a75ba4b3e51f324e248a90aa121da92e8005ff

          Download Submit

        • \??\c:\windows\SysWOW64\fastuserswitchingcompatibilityapi.dll
          Filesize

          93KB

          MD5

          e230a2ebe15a685992fef400e5f73b8b

          SHA1

          ba157093d4be2c27b4ddde4c4017c1205971ea6e

          SHA256

          cc0f0f144a9053c16bf83dc4094c981f405303907a8ccccf41179c071b9949f2

          SHA512

          a6e0a839e64b3d4d62f3fa3322a74092419c4f5c5f0ff6772deed8252d1c50a6b84c9ecdec201728137d62acdffcfd3866e5498c466578a13a606811de148c09

          Download Submit

        • memory/2676-16-0x0000000010000000-0x0000000010029000-memory.dmp

          Filesize

          164KB

          Download

        • memory/2676-17-0x0000000010000000-0x0000000010029000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3184-5-0x0000000010000000-0x0000000010029000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3184-7-0x0000000010000000-0x0000000010029000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3184-10-0x0000000000600000-0x0000000000601000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3184-9-0x0000000010000000-0x0000000010029000-memory.dmp

          Filesize

          164KB

          Download