General

  • Target

    525f07cac9cd19a40421c40402d9c98c70ea1914fd2682b740134540fa290693

  • Size

    32KB

  • Sample

    220717-dqp78aeehr

  • MD5

    47e19906435f64d9bcc0c4d9bbab97f3

  • SHA1

    c96104b2998bef1e6cd27b71c9409290d11c1909

  • SHA256

    525f07cac9cd19a40421c40402d9c98c70ea1914fd2682b740134540fa290693

  • SHA512

    271317936b48c3bf05c808bb40e5976b398c7cd3f0a4b8643df853a10175332071ab9f983bbf4ab5795b5de6b7bd8e5826d612fc46cf2a756c03ef38f845e219

Malware Config

Targets

    • Target

      525f07cac9cd19a40421c40402d9c98c70ea1914fd2682b740134540fa290693

    • Size

      32KB

    • MD5

      47e19906435f64d9bcc0c4d9bbab97f3

    • SHA1

      c96104b2998bef1e6cd27b71c9409290d11c1909

    • SHA256

      525f07cac9cd19a40421c40402d9c98c70ea1914fd2682b740134540fa290693

    • SHA512

      271317936b48c3bf05c808bb40e5976b398c7cd3f0a4b8643df853a10175332071ab9f983bbf4ab5795b5de6b7bd8e5826d612fc46cf2a756c03ef38f845e219

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks