General

  • Target

    4ede99f5c5f44b2f9e573c23eed940512cdaa1ab578ac4548e511e0b0c1b24e9

  • Size

    112KB

  • Sample

    220625-cztrbsagcl

  • MD5

    28791769da9ed51d070020058e9c172c

  • SHA1

    a9060e5b1c51da2b213917cec15a0ff51aecde05

  • SHA256

    4ede99f5c5f44b2f9e573c23eed940512cdaa1ab578ac4548e511e0b0c1b24e9

  • SHA512

    04ea27c1cfe4f4937cdaf204c3883bd395b289e400bf51fa945ca24fecc4813f626e3920445db5fcaa22b1cfdf8ca0922779a87ee993d1dfac7695237d8d1973

Malware Config

Targets

    • Target

      4ede99f5c5f44b2f9e573c23eed940512cdaa1ab578ac4548e511e0b0c1b24e9

    • Size

      112KB

    • MD5

      28791769da9ed51d070020058e9c172c

    • SHA1

      a9060e5b1c51da2b213917cec15a0ff51aecde05

    • SHA256

      4ede99f5c5f44b2f9e573c23eed940512cdaa1ab578ac4548e511e0b0c1b24e9

    • SHA512

      04ea27c1cfe4f4937cdaf204c3883bd395b289e400bf51fa945ca24fecc4813f626e3920445db5fcaa22b1cfdf8ca0922779a87ee993d1dfac7695237d8d1973

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks