Overview

overview

10

Static

static

10

eaf4c73230...c5.exe

windows7-x64

10

eaf4c73230...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eaf4c7323032af32bdd10830bb997423cf34b13080b9b783f4cf6bd63bb7fec5.exe

  • Size

    184KB

  • MD5

    c5060f477eb4f436f96f9c74b478b6b7

  • SHA1

    b9c2e196d2b3ec1550cd9a4ad300dfb2e776e8ae

  • SHA256

    eaf4c7323032af32bdd10830bb997423cf34b13080b9b783f4cf6bd63bb7fec5

  • SHA512

    ff6e3ec98f54f8036054e83d3053bfbbb745315c16666aeea15045f397d242a8be85d6673ae926b035ff1251dac465a80d343ad7b692ae83c4d074b70b9ebe52

  • SSDEEP

    3072:ScWYIOets7tPdGYnNnVzamxH/tiZ+1cfk4TwIb6rYGPeqov:FWYF1fnV7Ztmffk6wAKYeeqo

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaf4c7323032af32bdd10830bb997423cf34b13080b9b783f4cf6bd63bb7fec5.exe
    "C:\Users\Admin\AppData\Local\Temp\eaf4c7323032af32bdd10830bb997423cf34b13080b9b783f4cf6bd63bb7fec5.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1452
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:4896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\temp2603300.dll
    Filesize

    109KB

    MD5

    887b38cf35a97c8800467b7e82db2346

    SHA1

    b287506cd9709f2a6ed1fcc80cf22c21f5018d82

    SHA256

    0587c530bc217a9fa0717f881d829ee9698c95db46e29408c1a3bca2192419a8

    SHA512

    ee93bad3b06455b631d3fe47e4965bf30a33b027ae8e93b9121654fe006fc4da6cad8d25727fb673c67e155009faddd4ed024aa30e91b05fa5c9a0cb2aad14a0

    Download Submit

  • \??\c:\NT_Path.old
    Filesize

    129B

    MD5

    6eac6693aabba3ecdc192d43fa39eee6

    SHA1

    cc4cffaa5f914e14fc2281d46c15fafbb82c5ab7

    SHA256

    a9693a3bc748d2eb346e2fee93b36000f5e49043cecc27e14ddb025a34573d18

    SHA512

    b486c7c3ddc5d71157f7f2c8642164d7de6e9f9a17c7629c932b993329ff7d773429f2b3ecd70b7c771c6f9622dc65433791a9195db534da847b1fac313ee575

    Download Submit

  • \??\c:\program files (x86)\bkuw\ukkpixjhy.bmp
    Filesize

    4.6MB

    MD5

    2cc3ebbcae019770c67b713faf77de3b

    SHA1

    5bf27ba78430055ea9b26631a49a86400c47401d

    SHA256

    59512ca970b52aef307a5fd935a03c156cf9066d9dbe17cfc0a016c210afadc0

    SHA512

    f03c8db84458aa4b2a58cb84d7b49e194efd22f3633f7332005a3d296875625fcdaf9e07ebaf8d55ba5e71c8608d84811b9cdd15f2a9b2161ab66b120c7efbaa

    Download Submit