General

  • Target

    TG_setup-x64.7z

  • Size

    35.3MB

  • Sample

    220703-bl91qabdhq

  • MD5

    1e6923d66132e9506b6f11eebf07077b

  • SHA1

    92c196b7addc4bc4ab65bc6f555f70e69dee3420

  • SHA256

    b39a17feeb9ba7a73b458b792532bb90009d64af4ffcf4f8636846f7832503d5

  • SHA512

    b26d2369a0a6d4b5ca301656edabf71d3b9cefd15215d7f9519403cc3aff5a0a05e63e57a717b84c623c397f332504a359de09a9a54b998bfd4274d190b5bc2b

Malware Config

Targets

    • Target

      TG_setup-x64.exe

    • Size

      36.1MB

    • MD5

      7b751af2c64f68ed29dc6a89b90985b5

    • SHA1

      f51be698468764370c3d37611c1f5c90da8f5639

    • SHA256

      d71c5b15777a6f0ac68eef46da3bc976f5727f287e5ed8873b32e628c4f07a13

    • SHA512

      cc9b1debacf8f87a27759ad1478b19ad4fe54a9e7b53e91c76f16d8dd42576cffa63c965c471876f093897136c197c84ab0b4bf5c061d8f865a2a788e9af924f

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

Tasks