General

  • Target

    3768343fbb050b80a36ae59cb686b8533a843eb26c42ed5d4f1c1821b568d1e8

  • Size

    112KB

  • Sample

    220625-3ekk2aacb9

  • MD5

    9ad57ee7f8dd5211f5bc2458f7c1df22

  • SHA1

    e51d8f98d221c48c282898d1b60aadb5617b6d0a

  • SHA256

    3768343fbb050b80a36ae59cb686b8533a843eb26c42ed5d4f1c1821b568d1e8

  • SHA512

    c52fc66a77b91c9d5fdbca5f983297aeaa312060080dd9142705ff798d97d43e2170a9d3f39833f9565d4609ea357e79710a1f5f483d7d7cfd3056c356060728

Malware Config

Targets

    • Target

      3768343fbb050b80a36ae59cb686b8533a843eb26c42ed5d4f1c1821b568d1e8

    • Size

      112KB

    • MD5

      9ad57ee7f8dd5211f5bc2458f7c1df22

    • SHA1

      e51d8f98d221c48c282898d1b60aadb5617b6d0a

    • SHA256

      3768343fbb050b80a36ae59cb686b8533a843eb26c42ed5d4f1c1821b568d1e8

    • SHA512

      c52fc66a77b91c9d5fdbca5f983297aeaa312060080dd9142705ff798d97d43e2170a9d3f39833f9565d4609ea357e79710a1f5f483d7d7cfd3056c356060728

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks