Overview

overview

10

Static

static

7

83803037d5...87.exe

windows7-x64

10

83803037d5...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83803037d5f38b78cee615f99e834659f7e934dd8eb27719d29e4590e2a29787.exe

  • Size

    1.2MB

  • MD5

    2cb4a761906448320fe3b72d3198be5c

  • SHA1

    9cfa2a6c985bd5f9cbf92d87732abc6ab2ef9449

  • SHA256

    83803037d5f38b78cee615f99e834659f7e934dd8eb27719d29e4590e2a29787

  • SHA512

    26ed7d48ee645f83ff7e09ccc8a777b99ac0f7f7d6a83ece60d24728dab33e2d8c0d46ab7eaea032812fb71295d89b85585aa0a5fbdcd4dc565865121c52b064

  • SSDEEP

    24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtif:WIwgMEuy+inDfp3/XoCw57XYBwKf

Score
10/10
gh0stratdiscoveryratupxvmprotect

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83803037d5f38b78cee615f99e834659f7e934dd8eb27719d29e4590e2a29787.exe
    "C:\Users\Admin\AppData\Local\Temp\83803037d5f38b78cee615f99e834659f7e934dd8eb27719d29e4590e2a29787.exe"
    1⤵
      PID:2484
      • C:\Users\Admin\AppData\Local\Temp\AK74.exe
        C:\Users\Admin\AppData\Local\Temp\\AK74.exe
        2⤵
          PID:1972
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          2⤵
            PID:2736
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          1⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2780

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Ghiya.exe
          Filesize

          320KB

          MD5

          751a81a5794a4cd309d19a93ce5d5c66

          SHA1

          e44763d10e87cc98e633bf729146ccf02e8fd812

          SHA256

          7ab01f3e20a91f59a4d29266fa48b5e57a66354c110f554b566e78fc410f6357

          SHA512

          975a989cc1297a81f616b4a89250a25f938d31f12cc870f99ba957f917500bca87aa0888338580d201312bc0eb817c7b04ea45e41d8878dd9c807f3105f164fd

          Download Submit

        • \Users\Admin\AppData\Local\Temp\AK47.exe
          Filesize

          91KB

          MD5

          423eb994ed553294f8a6813619b8da87

          SHA1

          eca6a16ccd13adcfc27bc1041ddef97ec8081255

          SHA256

          050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

          SHA512

          fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

          Download Submit

        • \Users\Admin\AppData\Local\Temp\AK74.exe
          Filesize

          386KB

          MD5

          4ca122dfd51c09ec95aecbff5d669993

          SHA1

          93b7b087cb5c89500c4be811bf6f096f9169b104

          SHA256

          6972f1a6cfe961ed9a5314c1dfd00633ee304995b16aebcf4ca359ce02c50c6c

          SHA512

          a023a4f22705cfb640d2f2123c48a97295b87d657e98cea52b9c8120514ca8244dc94dbfe7a15a6f05897cd69a762756756e96fb28712c730ba8807e6f8d858d

          Download Submit

        • \Windows\SysWOW64\259448835.txt
          Filesize

          49KB

          MD5

          44215fb1afd01851e8d50825af757822

          SHA1

          34086fe4ee1bddfd4847b0bfce168454dfcaf182

          SHA256

          3895a5c579581aa4a8ead68abe5640ab8f3e86efd9118ffc127646b9cbbe5fc2

          SHA512

          13332f118af2775ce85379f0f3d23bca9c17813039956e3dba3a496444d9aea6dbf1ec3713fb5a335988f474369dbbb443f15fe23818f3f4a75930975f16b23c

          Download Submit

        • memory/1972-21-0x0000000010000000-0x00000000101BA000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2484-0-0x0000000000400000-0x0000000000760000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2484-1-0x0000000000400000-0x0000000000760000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2732-47-0x0000000010000000-0x00000000101BA000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2732-49-0x0000000010000000-0x00000000101BA000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2732-53-0x0000000010000000-0x00000000101BA000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2732-57-0x0000000010000000-0x00000000101BA000-memory.dmp

          Filesize

          1.7MB

          Download