Overview

overview

10

Static

static

3

f5779045a4...bc.exe

windows7-x64

10

f5779045a4...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5779045a4f8a31b8604d2c759ce710f217b99415ed57689c2b3f9946d8462bc.exe

  • Size

    1.0MB

  • MD5

    b7f7eccc38bd334fd00d2e7d2f4b9c8f

  • SHA1

    7e5f9d367a3848c0ee1db0078c27083da6e96291

  • SHA256

    f5779045a4f8a31b8604d2c759ce710f217b99415ed57689c2b3f9946d8462bc

  • SHA512

    f8fbfc08d633b0739326491c96189c7cef4652f5bd2a12130c142174033f3623e74e53be1343dc4184d281133d53f3d9f1b20516e9d9cdb9728982a3d593c339

  • SSDEEP

    12288:6De4Fy/UQ0Vmu+X5IGasus/hP4ixLz1i7G8v4jKmU94XvOPE5XJl0TftFadFbBKi:6BA/rdIGaRaB4ixLqvehU94Xr5XjGar

Score
10/10
gh0stratrat

Malware Config

Extracted

Family

gh0strat

C2

164.155.205.114

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5779045a4f8a31b8604d2c759ce710f217b99415ed57689c2b3f9946d8462bc.exe
    "C:\Users\Admin\AppData\Local\Temp\f5779045a4f8a31b8604d2c759ce710f217b99415ed57689c2b3f9946d8462bc.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2856-0-0x0000000000400000-0x000000000056F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2856-1-0x00000000757C0000-0x00000000759D5000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2856-3875-0x00000000774F0000-0x0000000077690000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2856-5884-0x0000000076410000-0x000000007648A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2856-13069-0x0000000000400000-0x000000000056F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2856-13070-0x0000000000400000-0x000000000056F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2856-13071-0x0000000000400000-0x000000000056F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2856-13072-0x0000000000400000-0x000000000056F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2856-13074-0x0000000000400000-0x000000000056F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2856-13075-0x0000000000400000-0x000000000056F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2856-13076-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2856-13079-0x0000000000400000-0x000000000056F000-memory.dmp

    Filesize

    1.4MB

    Download