General

  • Target

    ab90efdaedb439ded694d5d5f77121be71a7e915a7af19a95bdbd570b5be6b27

  • Size

    32KB

  • Sample

    220701-gp787aehep

  • MD5

    57f43fcd65c74071fd2e8f1bced732ce

  • SHA1

    5e8768bc07a386d2d00e72d64d6d353d934f8625

  • SHA256

    ab90efdaedb439ded694d5d5f77121be71a7e915a7af19a95bdbd570b5be6b27

  • SHA512

    441a743b64b8a8606ac96530992e11f5944f520b291ff251f1d6bddf120fdb4d4545f656af078663fed0bfb7310197aab75cba53ae91c65eb6e3611ce1f94ea0

Malware Config

Targets

    • Target

      ab90efdaedb439ded694d5d5f77121be71a7e915a7af19a95bdbd570b5be6b27

    • Size

      32KB

    • MD5

      57f43fcd65c74071fd2e8f1bced732ce

    • SHA1

      5e8768bc07a386d2d00e72d64d6d353d934f8625

    • SHA256

      ab90efdaedb439ded694d5d5f77121be71a7e915a7af19a95bdbd570b5be6b27

    • SHA512

      441a743b64b8a8606ac96530992e11f5944f520b291ff251f1d6bddf120fdb4d4545f656af078663fed0bfb7310197aab75cba53ae91c65eb6e3611ce1f94ea0

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • RunningRat Payload

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks