General

  • Target

    64.exe

  • Size

    112KB

  • Sample

    220626-fygxxsadd8

  • MD5

    03901821df28b37ffb3ba21648e5ee23

  • SHA1

    6bfa94dcaffd0487e4f223ee5a056ad046f6f347

  • SHA256

    01a1a142b1f4fcf6fbac05aa1c6b9e97c28ef3bf7710e3ebd0c558e1e3fde260

  • SHA512

    cb476c226ac9654bb4658a32559bc1933052b9fb1077c33ae80a41d63cd69230317e802f9d1794ac17ae8c3df4cf13c1ffc01e771bd9210710a5b525e4932c19

Malware Config

Targets

    • Target

      64.exe

    • Size

      112KB

    • MD5

      03901821df28b37ffb3ba21648e5ee23

    • SHA1

      6bfa94dcaffd0487e4f223ee5a056ad046f6f347

    • SHA256

      01a1a142b1f4fcf6fbac05aa1c6b9e97c28ef3bf7710e3ebd0c558e1e3fde260

    • SHA512

      cb476c226ac9654bb4658a32559bc1933052b9fb1077c33ae80a41d63cd69230317e802f9d1794ac17ae8c3df4cf13c1ffc01e771bd9210710a5b525e4932c19

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks