Analysis
-
max time kernel
29s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-08-2024 06:02
Static task
static1
Behavioral task
behavioral1
Sample
Vape.Ghost.Client.exe
Resource
win11-20240802-en
General
-
Target
Vape.Ghost.Client.exe
-
Size
5.2MB
-
MD5
35df05b7c1961a0f69bd99ea78732656
-
SHA1
0b6c342574f28ff311232549db6c4f147db779dc
-
SHA256
1da503b09db301240e0e884cb784c00ac36bed73ff1589706db852fd21dc1b90
-
SHA512
a19686a1d3b4366091a931d2270c8c263c504106abb9b302de6c51df271cabd6523b699c37c4333135f61699d037d640f07a15e791c220ac1dd5a190eef5eb1c
-
SSDEEP
98304:mR0PSTKTvyaW4YWXkOeLJGAD9hPa7TE8KTh0QcIzypHchp5leZzgD:yYwKTvBYyBqA8hPa7TEP9ZcIzyahpPKw
Malware Config
Extracted
xenorat
127.0.0.1
Xeno_rat_nd8912d
-
delay
5000
-
install_path
nothingset
-
port
4444
-
startup_name
nothingset
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2580 AUTOCL~1.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Vape.Ghost.Client.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AUTOCL~1.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2580 2496 Vape.Ghost.Client.exe 82 PID 2496 wrote to memory of 2580 2496 Vape.Ghost.Client.exe 82 PID 2496 wrote to memory of 2580 2496 Vape.Ghost.Client.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe"C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5244c234696a4a686ba7b6e4652d6200e
SHA109806d289fb39ed2997eadceb901ba8e2e5616e5
SHA2562930b9f36c5719b27475da8bec4990528fc2aa55d768007b06b7d4c1cdad2654
SHA512c40b6c8e1ec76e0018c0a15d0192e2371445a8250d42de78ccbfb3b3a100f9c21261ad7bad20ec92dada4d67ca05ae6474a9555a414167c96a1e479d93ac07f9