General

  • Target

    44e423439abca43b30b61dd92ea8d15f023273eec00c299601b4f13e47d5c598

  • Size

    32KB

  • Sample

    220707-wfd2bafef4

  • MD5

    e80584b98d46c8ce0c860e79936649da

  • SHA1

    5639c4ea74a22dadc04d016459075fb7492cf3e2

  • SHA256

    44e423439abca43b30b61dd92ea8d15f023273eec00c299601b4f13e47d5c598

  • SHA512

    cb43fd2f07939c9659c0b8ac72dbdb42ff89f596287c2f3e9faf9812c8da2731690a8b26868a4c68d1235ca6fc11ad4dfd826115d82142458fb664c19d2c283b

Malware Config

Targets

    • Target

      44e423439abca43b30b61dd92ea8d15f023273eec00c299601b4f13e47d5c598

    • Size

      32KB

    • MD5

      e80584b98d46c8ce0c860e79936649da

    • SHA1

      5639c4ea74a22dadc04d016459075fb7492cf3e2

    • SHA256

      44e423439abca43b30b61dd92ea8d15f023273eec00c299601b4f13e47d5c598

    • SHA512

      cb43fd2f07939c9659c0b8ac72dbdb42ff89f596287c2f3e9faf9812c8da2731690a8b26868a4c68d1235ca6fc11ad4dfd826115d82142458fb664c19d2c283b

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • RunningRat payload

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks