General

  • Target

    86.exe

  • Size

    112KB

  • Sample

    220626-fyvh1sade6

  • MD5

    38e84da8176785d14fbb5f5c6d49f140

  • SHA1

    1674093fb994118767f1478b3deb823d41da47ee

  • SHA256

    0ff435fc383947a04bd590f9cb6aff83c85d2ebe2391ffed108639fcde93550d

  • SHA512

    354be6543127177a362640081561f2933ae3f794a261676a5d9037c064a20a960750d1715943cb30a609b00b369b68b6a592d74accbf1b755bd8988942148d2a

Malware Config

Targets

    • Target

      86.exe

    • Size

      112KB

    • MD5

      38e84da8176785d14fbb5f5c6d49f140

    • SHA1

      1674093fb994118767f1478b3deb823d41da47ee

    • SHA256

      0ff435fc383947a04bd590f9cb6aff83c85d2ebe2391ffed108639fcde93550d

    • SHA512

      354be6543127177a362640081561f2933ae3f794a261676a5d9037c064a20a960750d1715943cb30a609b00b369b68b6a592d74accbf1b755bd8988942148d2a

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks