Overview

overview

10

Static

static

3

991ab695fa...b4.exe

windows7-x64

10

991ab695fa...b4.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    991ab695fa2cc9847d8c5b383ec68da2c91b06e1e169b4079abf5fc1c3d2d5b4.exe

  • Size

    1012KB

  • MD5

    62a33979c72994636b33e540ef9bad43

  • SHA1

    ebf4077318879583a050d779bd53a6178cb5e74b

  • SHA256

    991ab695fa2cc9847d8c5b383ec68da2c91b06e1e169b4079abf5fc1c3d2d5b4

  • SHA512

    e83f7d8861b8db6ead6991c54bee78602c49dfe24c5dd89bf0202f9c1e126b93a84ff594e50e4d34e9fcf75b1e636a1b8338141777838c45e2ea3e62952e4cd1

  • SSDEEP

    24576:2YWHDaw5/sRwYkVrHHz+mWkXwHl8xHj8oKS6uXk4uK+5QpHqw5:2swuPkRTrzXcix8ekSdj

Score
10/10
gh0stratramnitbankerdiscoveryratspywarestealertrojanupxworm

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\991ab695fa2cc9847d8c5b383ec68da2c91b06e1e169b4079abf5fc1c3d2d5b4.exe
    "C:\Users\Admin\AppData\Local\Temp\991ab695fa2cc9847d8c5b383ec68da2c91b06e1e169b4079abf5fc1c3d2d5b4.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Users\Admin\AppData\Local\Temp\991ab695fa2cc9847d8c5b383ec68da2c91b06e1e169b4079abf5fc1c3d2d5b4Srv.exe
      C:\Users\Admin\AppData\Local\Temp\991ab695fa2cc9847d8c5b383ec68da2c91b06e1e169b4079abf5fc1c3d2d5b4Srv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:12540
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:12588
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:12628
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:12628 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:12700
  • C:\Windows\SysWOW64\Eowywou.exe
    C:\Windows\SysWOW64\Eowywou.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:12808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8784e3f4bbaaf8dc4bf9be75cf3c7846

    SHA1

    dac9d7d71bbd1da7ecc736568de05c2dfc071bc6

    SHA256

    a393cc31120b6dd70e30ddf6040770bea29264c46fa2a6bf8ab085e50ea56393

    SHA512

    38750eb54bb2113d9ad1614a41678e641ae6cb192de1979ce3ad65de03a7dc4a34b9a6733776a6d792970cd63d48671ed16c60c9e3447a357d85995aeaebf9f8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ecdaa09379d48e5e07102b191e8f1de2

    SHA1

    8c900c0fe066b413065d1df36ee6508c1c4abca3

    SHA256

    e613eddd51c806e6f00b3cff8c88d8eeec9517c5f1843fad815248f977472017

    SHA512

    dc336bc8f4b3985b94c0451cd1cb405839b52e614a7037a565b890598b9a053dc0c2441a188592e19247b60803d035b2886ff8df438341dd55e54a601e9917b7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    98b85a93ca8a7a4a46d114d44eae44b9

    SHA1

    443e4f5d7bc9abc09642508553bef60bc1e27519

    SHA256

    518ac1d2149fa256d623fead560548872e10b73e6abafe322a439ace1595beca

    SHA512

    04d89bbde5dfb53c923bb991f924f48c61c9365f15616a193baeaa0c6b9d059e0d59008d3045cb425ae413447d38450a4b8dbc10c3598083a673d143fc5a26c5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4ca662c48ce0f43585e9c25843908403

    SHA1

    9fdb7d45183aac1039a864f9acbcc1beda9ee7b6

    SHA256

    155da25c45ba08fd9dba9416e3c0889aa1a7e01c0ed6a92b6380019fa47251a9

    SHA512

    5ef4fa5d4d527ad53ce1d23a293cebebe7250709323a0d55d7f22ab84c5db9a3b941778201f3ad2bc89ce9e2b511e7df1e157a4b229122ee2393435c6729a393

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    170421c1c44230e90674b82f1fb06f11

    SHA1

    683bdc3474817f304b99406edcf79841d1ea5112

    SHA256

    ddad30f4251473b5f56acfd0e5a0b0dfdc33d260e7551653d2c549b95ac58ee3

    SHA512

    689734531abeb5f70f382341fccf5a5981d850e91219a68029460542ef42107cf7080edc417177a38933b85cd89681217c3e394086299d53edd15b45340df009

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2a0998d75fd11dec791955cf7a270d08

    SHA1

    61016725f0a10b53ec7925133aa8fe1ecac6f6d5

    SHA256

    a3b762a4d82683c3647620773dc1c033fbe13001fd581fa3a1c32ed3b3e03138

    SHA512

    bc0493c58c91f4c95cfc547dcdfa5303cb2c816f47fba439dc12d47e7d62ceaee6ecad46d00c3cdc78c2140cf7588fffea02ae81cf0c135020b36bf341b3d98b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    509c62dfa2d9e2674d9d2502902a74ae

    SHA1

    be2242529d4870ea886b1979f3cb8aeee74c60a0

    SHA256

    30e6bd6a1217c126cb6d0f865ecbdeeea18a1510ddf7a6ac9fde1a52544ca524

    SHA512

    f66f108d2fec6550a0a229996be93edaa04581f0be932b05198a8c5eb387cb37c122a6bd2282a810982de0fdc7ec0292a454d72bcd950e56b6e8a0a3bf46c505

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1157324205cd9b3734bc1a16ce1a379e

    SHA1

    66e23307bbb391067e93848dc327c0a0abdcfd9f

    SHA256

    c45d2727b450501e8b26f46fef78a47cc5a018da7a498de2b8b5d8fe8f60564e

    SHA512

    7a5db90a84276dfce232f536a15cb63ad10b2baa847aa48931fff4f2cfe77ac0ec511b56371cdfedd52e9afdf17daa9a0c5833bb8ca283e3818a1eb63287eeb5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    23c17c759af1d3faeaed6a11348b9a24

    SHA1

    afeb095184993700ad4169b47e26aa371e88b28a

    SHA256

    e27b464f8b2a5dd6d58c2717f1ed4f0cce2ff35918211a448e798a76433dfc45

    SHA512

    bef702841be17752a93a2289ab186c25f278df463514a64514c56fd8b541ff1173ae1041e8d0315cad9250d2fe4a1a389b74fdfc398f2f36faa414093bb349c0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5f8112d09e94d407007f28ce63e00e90

    SHA1

    4689abedcaad399ac7dd62a1f9775137e5408ec3

    SHA256

    4df0bb511ce8db684697d9c837c787107062c798000b5d2b313d7b8c601d403d

    SHA512

    e5e5807195eb2492d10fed7afcd4e5b2cf00e252c3cc577b25a8470269a5747db076dbf45bb04440dedfe6c4ea7e8eb1d8da40428313c67f08b5f7f1aaeddf98

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1161508fa7f8a6ccee2dafbcb34b47b8

    SHA1

    ff94492cbe022e39888246fb5c256cb1cf091d39

    SHA256

    fba96c0f74bfc584cf79443a3c9301db1d48b679c3ff214433793e2a504a6bf3

    SHA512

    60091f652edbec839b7b794f9636c7aaea1934e91b391029c1aceaff445ba87dd79d6534403ea65a5363f11dc712c5a7c483a00917e1f7249f451e080ea98fa6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5fbbcccc18cc7f9e407c1300a1ee5648

    SHA1

    925c8994a655ba575423a062553fb950ccb064e3

    SHA256

    6bbe9b011a0e0976c624ee3900d4bca1f648c5dd84840c805aee58ae240ac73b

    SHA512

    76c82a1882e59402b8f3bfe339468db5adcb2748c1581074dad612c9dd6037c23a9f91d03d1846df38c0a3e8feb640bd9dee02cb299692639334dd1639cd012f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    af8e3ac86d7b682ac636c1e23524f393

    SHA1

    13ca0c07fe6f968e494e353d081aaa43247439be

    SHA256

    32a041a0488a3b11b9d06979b1a5435b0408ae99a847537084a56a24147340d5

    SHA512

    6866c206fb886a9d80c53d14170fbe3e08d2bfdd4b6e549c1342ccfe718fc9d6c7639285ba79f0cb4b7d63d1a4ecf6eaf5c7ae18f52a6e0de6db6f908cb5dca3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d30e25d8755ee7acf68e337473eca970

    SHA1

    2c667825c03feb56441d5d95af17e7ecba42f6e7

    SHA256

    f5fc2416417e78955030b249e48de5cf77a807443d87d05723084f370f655a9b

    SHA512

    8e832394c05a183c52faac8456c2adb2350cd3c8955bcba63e2cf8abb29f501e5df1b54b8deec9670b4eee7b860ffdd598ea0aec8891599c750c1d618c9e1624

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    92c30bc177de4cd8d1a7a763f4a65b88

    SHA1

    42f6e0a7f6a90675ef242e477369d81fbc4061bc

    SHA256

    8e515f7f2de7dffc3d2a3d955d6f95367e6fb38c77a5bfaf7a0af1eca921ea0c

    SHA512

    7125c44889f97b0e330ecdcb513295d110a2af5a1dcd5c1c00210e6365805c527ee2ddf7ee683d3256a98c07d77bb857d203161abf88c0d6174ea10e61f7702b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\991ab695fa2cc9847d8c5b383ec68da2c91b06e1e169b4079abf5fc1c3d2d5b4Srv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabF1E0.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF2DD.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\SysWOW64\Eowywou.exe
    Filesize

    13.0MB

    MD5

    b65351bc0beb34f202d268f4c1239238

    SHA1

    ec33cab0bc6e6946a4c8719a1deba51b34c0a4cc

    SHA256

    07749714599b4e428728a514354e35b0ebb532bf61cfad8a3eb1e1963a39c23a

    SHA512

    ec6a2d75824a0b8a35f1e1f28320ac55e37d13b6a475d65267763eecf316947206b70d9c949e6ae135549c911f15e306070e3589214b68060cf4ad1e48f2117e

    Download Submit

  • memory/2596-526-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-514-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-538-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-540-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-542-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-546-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-548-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-550-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-552-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-554-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-556-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-558-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-564-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-562-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-560-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-2239-0x0000000001E20000-0x0000000001FA1000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2596-534-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-7986-0x0000000002B30000-0x0000000002B5E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2596-1-0x00000000750E0000-0x0000000075127000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2596-506-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-17313-0x0000000000400000-0x0000000000533000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2596-504-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-532-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-530-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-528-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-0-0x0000000000400000-0x0000000000533000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2596-524-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-522-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-520-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-518-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-516-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-536-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-503-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-512-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-510-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-544-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2596-508-0x00000000020D0000-0x00000000021E1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/12540-7996-0x0000000000240000-0x000000000026E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/12540-8005-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/12588-7999-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/12588-8004-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/12808-17128-0x0000000000400000-0x0000000000533000-memory.dmp

    Filesize

    1.2MB

    Download