Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 07:03
Static task
static1
Behavioral task
behavioral1
Sample
06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad.exe
Resource
win7-20240215-en
General
-
Target
06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad.exe
-
Size
1.1MB
-
MD5
5e4aee7db5e780b199b904e552ae2f4d
-
SHA1
520c05e6897c5348d34b6aa47c1a8e0e75ea0c1f
-
SHA256
06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad
-
SHA512
a4cedbd6ea5e7c4f0607a163aa37ea0d59fcb639283f172e502536679fafb0d084e46de0bc46de64ccf095894c4cad79394ec80bb6f1ade600ec1e653d70c45c
-
SSDEEP
768:HpojYtIvCxknA/SzhQmsOHJv+gqEVfYgT5Fb6lvk1nGwBNfzpC7Mm:HDIGknAKemsEJvNfN/uqNGohzpCwm
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2220-0-0x0000000010000000-0x000000001000B000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
Processes:
Arab.txtArab.txtpid process 2472 Arab.txt 2508 Arab.txt -
Loads dropped DLL 1 IoCs
Processes:
Arab.txtpid process 2472 Arab.txt -
Drops file in Program Files directory 3 IoCs
Processes:
06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad.exeArab.txtdescription ioc process File created C:\Program Files (x86)\Arab\Arab.txt 06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad.exe File opened for modification C:\Program Files (x86)\Arab\Arab.txt 06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad.exe File created C:\Program Files (x86)\Arab\Arab.txt Arab.txt -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad.exeArab.txtArab.txtpid process 2220 06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad.exe 2472 Arab.txt 2508 Arab.txt -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Arab.txtdescription pid process target process PID 2472 wrote to memory of 2508 2472 Arab.txt Arab.txt PID 2472 wrote to memory of 2508 2472 Arab.txt Arab.txt PID 2472 wrote to memory of 2508 2472 Arab.txt Arab.txt PID 2472 wrote to memory of 2508 2472 Arab.txt Arab.txt
Processes
-
C:\Users\Admin\AppData\Local\Temp\06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad.exe"C:\Users\Admin\AppData\Local\Temp\06efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2220
-
C:\Program Files (x86)\Arab\Arab.txt"C:\Program Files (x86)\Arab\Arab.txt"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Program Files (x86)\Arab\Arab.txt"C:\Program Files (x86)\Arab\Arab.txt" Win72⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2508
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD55e4aee7db5e780b199b904e552ae2f4d
SHA1520c05e6897c5348d34b6aa47c1a8e0e75ea0c1f
SHA25606efad19b35b745c1d0e756a670d2cfbb2a991d5e4d5e524cfda78ff74e304ad
SHA512a4cedbd6ea5e7c4f0607a163aa37ea0d59fcb639283f172e502536679fafb0d084e46de0bc46de64ccf095894c4cad79394ec80bb6f1ade600ec1e653d70c45c