Overview

overview

10

Static

static

10

159a23a498...73.exe

windows7-x64

10

159a23a498...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe

  • Size

    2.2MB

  • MD5

    e2499d45781442f28937ca2eb24ff56c

  • SHA1

    e22d6ac937ab8e99447ffc00a57d76c03e97df86

  • SHA256

    159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73

  • SHA512

    2efe9f3540312224b3b06ff4f3ce1f8ea2ffcf92e0147b81f3c88611ebc395805ad2da08cb768d95a4a86207c969b6d57dc8ebaf4a7e484601fcd60e65b09ad9

  • SSDEEP

    49152:zEywVVvUji3TA3nsHyjtk2MYC5GDGisyn7dS:Q1VVv2883nsmtk2aQ7c

Score
10/10
gh0stratxredbackdoordiscoverypersistencerat

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
    "C:\Users\Admin\AppData\Local\Temp\159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\GLk.exe
      C:\Users\Admin\AppData\Local\Temp\\GLk.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1984
    • C:\Users\Admin\AppData\Local\Temp\HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
      C:\Users\Admin\AppData\Local\Temp\\HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3988
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1864
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "svchist"
    1⤵
      PID:1076
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "svchist"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\SysWOW64\svchist.exe
        C:\Windows\system32\svchist.exe "c:\windows\system32\240612093.bat",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4284
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3296

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\._cache_HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
      Filesize

      299KB

      MD5

      430a5a0034d36d98ee100d97f58dd88d

      SHA1

      2a43f8663a21c8055b36521c49436bce535e9e9c

      SHA256

      831ef3bd56fc1bab96d6310466fb4f3563cf008512572e7fc0027c70dafe51d7

      SHA512

      d3b3101864ed9c1e01fcfabf47a08f64ee901227b107d2860a4bc96f44670870cf1a887bc7f4dfb9c0f0535a32a4fbc1aa1e4f183f1d5483f274a654cae1727a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GLk.exe
      Filesize

      337KB

      MD5

      b8e58a96761799f4ad0548dba39d650c

      SHA1

      c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f

      SHA256

      334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df

      SHA512

      1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HD_159a23a4989271751002f8fcda260ff43cbbf8623d5cb27491091d5053561d73.exe
      Filesize

      1.0MB

      MD5

      075dd995c2750cdcf87eeb180a81ccb7

      SHA1

      cae188c9e967765dbb7669ae094df2e6b7c2315b

      SHA256

      ea3b6456775bd3e399f13257cf95d9b58c86e9929a8a8ad9e2212921834fa525

      SHA512

      057f47499a8790da1eb8c944514b3d82d13c0f15a09f440c82fbcde433bf07f9212a730aa3176748ea8daddab0eb3b4d5eaf52d28a0adce1b01c86c76703275f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
      Filesize

      1.2MB

      MD5

      b4c74f141281b76cd65ab27730518aa0

      SHA1

      341cad358dbbe7fefc60f8ee75589560ab31a825

      SHA256

      b6006180bc5a72147e55d25139e7728cb43f92330d578116d765eaa900abfae6

      SHA512

      200b362e1130702bb3e9eea26fea004af0c12c94eac9e1da5ee850c215deecc903c302c086c77302fd9a8b861ca65feb800793094b69676c462092c0584a6559

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tVngT4ty.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Users\Admin\Desktop\SplitPing.exe
      Filesize

      1.0MB

      MD5

      17095badc94be141bc91a0379fc68e16

      SHA1

      ba81e6303cd28c912a84f7bc435388ee240a9408

      SHA256

      c38cf02c36cb907d3153954e2561b4a0ddffb6f1e60be962d5602dc55511bf44

      SHA512

      f57fc594cefd3eebde8c7f990294ba2581a7a713c9502fae912def65a2f6addb6b758cccfe10257a1778fb40cdde835544a7dd04332c4ed501b56ab733454244

      Download Submit

    • C:\Windows\SysWOW64\240612093.bat
      Filesize

      51KB

      MD5

      de9ea3913b4f3fa936ffcf3138be90ed

      SHA1

      55ee9a42429518cc3feae63cb2821dd80a81af23

      SHA256

      e8ede7d43baee88784df43ea51f1f824503ef12b22dec3df19e2bc1c44c8c7cc

      SHA512

      7633ef3d1c4212296c633b94bc5cb10b11d651993ee9bb49295ad0840aa666f76ecc22a225d814571f581b8e4c95f78885688f74c48049ee4ad5acdeeed5649c

      Download Submit

    • C:\Windows\SysWOW64\svchist.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit

    • memory/3296-206-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3296-208-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3296-209-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3296-210-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3296-211-0x00007FFC3D8E0000-0x00007FFC3D8F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3296-212-0x00007FFC3D8E0000-0x00007FFC3D8F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3296-207-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4468-230-0x0000000000400000-0x000000000050D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4468-275-0x0000000000400000-0x000000000050D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4756-122-0x0000000000400000-0x000000000050D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4756-18-0x00000000006D0000-0x00000000006D1000-memory.dmp

      Filesize

      4KB

      Download