General

  • Target

    76fa309a575475f7909b62d088a6ba59f117abec821d9492eff6d3c68047ec72

  • Size

    32KB

  • Sample

    220724-rwq9csfff8

  • MD5

    b0e2153867e4e9e6e64261b0a318c885

  • SHA1

    651252b08920de947d5ee1a49aa072f9a281a176

  • SHA256

    76fa309a575475f7909b62d088a6ba59f117abec821d9492eff6d3c68047ec72

  • SHA512

    b51c94e2169d4248f9445683b4b435a0d7c7bdabe955f6e3cb1337b0c31c734c14ab3ba9b0dea4d7c5f4a0c0f5678c826b47440d40e841bc9cdec19e12207270

Malware Config

Targets

    • Target

      76fa309a575475f7909b62d088a6ba59f117abec821d9492eff6d3c68047ec72

    • Size

      32KB

    • MD5

      b0e2153867e4e9e6e64261b0a318c885

    • SHA1

      651252b08920de947d5ee1a49aa072f9a281a176

    • SHA256

      76fa309a575475f7909b62d088a6ba59f117abec821d9492eff6d3c68047ec72

    • SHA512

      b51c94e2169d4248f9445683b4b435a0d7c7bdabe955f6e3cb1337b0c31c734c14ab3ba9b0dea4d7c5f4a0c0f5678c826b47440d40e841bc9cdec19e12207270

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • RunningRat payload

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks