General

  • Target

    dst.exe

  • Size

    32KB

  • Sample

    220626-f6sdmaggdp

  • MD5

    9c9ced1054c8891f6f8dde502deeb860

  • SHA1

    9484dea6740cb5dedc89bfdc92a775ebc7399b17

  • SHA256

    29336d183897ebe82620f4cb72650482f1ddc1e442e92d6706139200d62e918c

  • SHA512

    9ba2eeb55cb447510548204bb5eb34849675cc0fd22abb54f31576cbcef9882902a90841d07b7340aa3d712f849445835b2132a9d4763362feaec257588bcbc5

Malware Config

Targets

    • Target

      dst.exe

    • Size

      32KB

    • MD5

      9c9ced1054c8891f6f8dde502deeb860

    • SHA1

      9484dea6740cb5dedc89bfdc92a775ebc7399b17

    • SHA256

      29336d183897ebe82620f4cb72650482f1ddc1e442e92d6706139200d62e918c

    • SHA512

      9ba2eeb55cb447510548204bb5eb34849675cc0fd22abb54f31576cbcef9882902a90841d07b7340aa3d712f849445835b2132a9d4763362feaec257588bcbc5

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • RunningRat Payload

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks