General

  • Target

    2079876ead5102007b2a72d776e71ded2ccf7e81fd0ac48c06ffa87b603d5f7e

  • Size

    112KB

  • Sample

    220708-js28fsgbhm

  • MD5

    5fe502f824cabec6cb46e7c84b257889

  • SHA1

    c03fbe00bda22f030e7fd9854ec376b3df8b6803

  • SHA256

    2079876ead5102007b2a72d776e71ded2ccf7e81fd0ac48c06ffa87b603d5f7e

  • SHA512

    49222d0f46c906f4c67de689f06e86634b78bb5f35d2fbe0d6de5996e01831c66c958e5ff1ad3ebdf668dc9cdbce15242844b2532d020582b87741817aa03d66

Malware Config

Targets

    • Target

      2079876ead5102007b2a72d776e71ded2ccf7e81fd0ac48c06ffa87b603d5f7e

    • Size

      112KB

    • MD5

      5fe502f824cabec6cb46e7c84b257889

    • SHA1

      c03fbe00bda22f030e7fd9854ec376b3df8b6803

    • SHA256

      2079876ead5102007b2a72d776e71ded2ccf7e81fd0ac48c06ffa87b603d5f7e

    • SHA512

      49222d0f46c906f4c67de689f06e86634b78bb5f35d2fbe0d6de5996e01831c66c958e5ff1ad3ebdf668dc9cdbce15242844b2532d020582b87741817aa03d66

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks