General

  • Target

    3bcbf53b24006f45ade2b5ef1874954efc84867f739f26f682775ff27c576ac8

  • Size

    33KB

  • Sample

    220703-llc14adghp

  • MD5

    858e1c72388e9401fe0ff991157be7a1

  • SHA1

    4a36e4d19b3bc00d3464c1993c989a8b9a648d72

  • SHA256

    3bcbf53b24006f45ade2b5ef1874954efc84867f739f26f682775ff27c576ac8

  • SHA512

    333012e90c4731d0c4acc2c1aa73add6c5b66f2d6a5b9023beae06a780a1b9d7c0f24e8d5d32fcc8b9f750e3b0cadadf4ffcadcb2f7917a53fb0cc24fd5ba042

Malware Config

Targets

    • Target

      3bcbf53b24006f45ade2b5ef1874954efc84867f739f26f682775ff27c576ac8

    • Size

      33KB

    • MD5

      858e1c72388e9401fe0ff991157be7a1

    • SHA1

      4a36e4d19b3bc00d3464c1993c989a8b9a648d72

    • SHA256

      3bcbf53b24006f45ade2b5ef1874954efc84867f739f26f682775ff27c576ac8

    • SHA512

      333012e90c4731d0c4acc2c1aa73add6c5b66f2d6a5b9023beae06a780a1b9d7c0f24e8d5d32fcc8b9f750e3b0cadadf4ffcadcb2f7917a53fb0cc24fd5ba042

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • RunningRat Payload

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks