General

  • Target

    d0d2c357b0cfb695e9daa1ad5cafec51b573100de2a34acf7014c81283be87d7

  • Size

    108KB

  • Sample

    220724-rwpqjafghn

  • MD5

    034b9c5b4b762adaca488dcd3dee92f2

  • SHA1

    a5a91978533f36434933629b57576fbd711c5e53

  • SHA256

    d0d2c357b0cfb695e9daa1ad5cafec51b573100de2a34acf7014c81283be87d7

  • SHA512

    1ca73e2d776340b4749a5454914c20d90579fa432cc6b32d6f7aa1d0a993a296a41f2465733267b806aa7d72101da3ad056376b2cbad5c3fc390db38f834f08f

Malware Config

Targets

    • Target

      d0d2c357b0cfb695e9daa1ad5cafec51b573100de2a34acf7014c81283be87d7

    • Size

      108KB

    • MD5

      034b9c5b4b762adaca488dcd3dee92f2

    • SHA1

      a5a91978533f36434933629b57576fbd711c5e53

    • SHA256

      d0d2c357b0cfb695e9daa1ad5cafec51b573100de2a34acf7014c81283be87d7

    • SHA512

      1ca73e2d776340b4749a5454914c20d90579fa432cc6b32d6f7aa1d0a993a296a41f2465733267b806aa7d72101da3ad056376b2cbad5c3fc390db38f834f08f

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks