General

  • Target

    414dd886157491b78a40ecd03332ee561fdefab14a43a1283533b2cf9c5f7209

  • Size

    108KB

  • Sample

    220708-gw6nyaefd2

  • MD5

    e001106a176350c854a2ba8d13a6595e

  • SHA1

    25c9b58964db48901949b03a9c9519060e5e1647

  • SHA256

    414dd886157491b78a40ecd03332ee561fdefab14a43a1283533b2cf9c5f7209

  • SHA512

    7a749d66e5c3b82f063f01ad3a0a8a74039e644480ec7f4ff37a27088db1a956870519c7eb948ff6cdd08587f84bbb1874417ecc6cd3b9e02c6728afb9b4c066

Malware Config

Targets

    • Target

      414dd886157491b78a40ecd03332ee561fdefab14a43a1283533b2cf9c5f7209

    • Size

      108KB

    • MD5

      e001106a176350c854a2ba8d13a6595e

    • SHA1

      25c9b58964db48901949b03a9c9519060e5e1647

    • SHA256

      414dd886157491b78a40ecd03332ee561fdefab14a43a1283533b2cf9c5f7209

    • SHA512

      7a749d66e5c3b82f063f01ad3a0a8a74039e644480ec7f4ff37a27088db1a956870519c7eb948ff6cdd08587f84bbb1874417ecc6cd3b9e02c6728afb9b4c066

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks