Extracted

• • Target

    ExeFile (118).exe

  • Size

    32KB

  • MD5

    063eac49dce280735483eda62ccfd437

  • SHA1

    7bc157cd1d16e61497c6ccf0db0c5fc9a103c7b7

  • SHA256

    a045dcaf7519a45b16068cad76467bd90b552571200c930ea4d4880416c5f39b

  • SHA512

    088346741d9076da6456504a37cc8cca01a0222cb641015254bd7924c5c089f9b9394037dc6f0c8796fbe9b81d35df9486c92d3b8f9f63c43f83115329a8884f

  • SSDEEP

    768:Fw/iOWTK3JWhOM/qZh7UJGcZ/81uwO+0pzx2onbcuyD7U7s9:mQK52fqZSIAlx2onouy87s9

  Score

  10^/10

  gh0stratrunningratdiscoverypersistenceratupx

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

    ratrunningrat

  • Server Software Component: Terminal Services DLL

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Creates a Windows Service

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2