General

  • Target

    37cec60df5f3503eae59daa7bd38c5d0fb54a78868a2e388b11e2364b4a148f8

  • Size

    108KB

  • Sample

    220625-1znr3sdgfq

  • MD5

    a745a952b81098ff60f807f395caf4a0

  • SHA1

    1b6389755a97c47c6d2c5b41589763f052a23833

  • SHA256

    37cec60df5f3503eae59daa7bd38c5d0fb54a78868a2e388b11e2364b4a148f8

  • SHA512

    e4bdcfc2687b34409a0d789a4f6a1493506adaba91087b5e36cde784c962ae55ca43c110d4de59dcc906275ed8aa3ceff7a7d43cbcc68d44bda8fc96cd01202f

Malware Config

Targets

    • Target

      37cec60df5f3503eae59daa7bd38c5d0fb54a78868a2e388b11e2364b4a148f8

    • Size

      108KB

    • MD5

      a745a952b81098ff60f807f395caf4a0

    • SHA1

      1b6389755a97c47c6d2c5b41589763f052a23833

    • SHA256

      37cec60df5f3503eae59daa7bd38c5d0fb54a78868a2e388b11e2364b4a148f8

    • SHA512

      e4bdcfc2687b34409a0d789a4f6a1493506adaba91087b5e36cde784c962ae55ca43c110d4de59dcc906275ed8aa3ceff7a7d43cbcc68d44bda8fc96cd01202f

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks