Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-03-2024 05:46

General

  • Target

    b3f053c1c01d2a8837f7fe4326229a45.exe

  • Size

    124KB

  • MD5

    b3f053c1c01d2a8837f7fe4326229a45

  • SHA1

    860c6db177cc9946455a1c315d2aa69f57fa58a9

  • SHA256

    5c3aa56e0b423b3e51d4021593b62a98b0df597b7d023311466a37caad3de13d

  • SHA512

    9fc9cb23d35d27e73ecc5e60285a84a6a41a1730bda9e0c2b9cabf9579bbf274035317155503d9d3c724b6c5e88acf3d31ac7d367faeebdb34a025c703570e33

  • SSDEEP

    3072:fn8vyFwFD6HDIgRAD+rG8RsaESUjx/kKYjzr:fn86FjHm4G0JGjxstjH

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3f053c1c01d2a8837f7fe4326229a45.exe
    "C:\Users\Admin\AppData\Local\Temp\b3f053c1c01d2a8837f7fe4326229a45.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Drops file in System32 directory
    PID:1784
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Deletes itself
    • Loads dropped DLL
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\service.dll

    Filesize

    117KB

    MD5

    0101d0958b571bd8f6d661b23919f637

    SHA1

    c37af878d385e05b507a60c012fb2c85e46f7c5c

    SHA256

    b231ee3bbd620f6595232b370599981d977adf6b67ce2ee7333a743094610c38

    SHA512

    6c8e98204ca9ce9d8ab314ccbb49f0ea5fc1c80f90ee286754f54769915bdbf458fdbc29b7534e1df4c8d51810b2f829c02dea133249ae53dd97d535c7c4bf71

  • memory/1784-0-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB