Overview

overview

10

Static

static

8

LetGo.exe

windows7-x64

6

LetGo.exe

windows10-2004-x64

10

NewRat.exe

windows7-x64

1

NewRat.exe

windows10-2004-x64

1

WEBserver.exe

windows7-x64

10

WEBserver.exe

windows10-2004-x64

10

g.exe

windows7-x64

1

g.exe

windows10-2004-x64

1

smss.exe

windows7-x64

1

smss.exe

windows10-2004-x64

1

svshost.exe

windows7-x64

10

svshost.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    7f01a143014e54fea66d7b40186842b78a421a52ca02a616f06d84c9274651cf

  • Size

    380KB

  • Sample

    221126-cfqwbsgg7s

  • MD5

    373b43d5bd25ceb2789cc4653b7377b5

  • SHA1

    1d38d0c189cd32eb4d936cb7ae292e44544547b9

  • SHA256

    7f01a143014e54fea66d7b40186842b78a421a52ca02a616f06d84c9274651cf

  • SHA512

    9bdd5d36a3dccc97e08446d9a55a3bfc716117f6d4dd8fc824ab8991135b123be789dd17bde1513eab588aeb563d52a104ebf5ffc0c880e35964ebfa74f9b77d

  • SSDEEP

    6144:1K30pk+Gl6xqWM3t4xnmIc4T/zwEPvRg/i3wobnjuU31NPsse:lpk+7qW44R17zjqaAofh5sse

Score
10/10
gh0strataspackv2evasionpersistenceratupx

Malware Config

Targets

    • Target

      LetGo.exe

    • Size

      100KB

    • MD5

      66f5b672d1c27615ccf5644f53b3200a

    • SHA1

      77d4f6ea42a4e7c3f3d2b9eaf19b12ed658742a2

    • SHA256

      87142a78a463945d210e10c733b90adfc0ca29b60e81af8d1debf2fd3ae1a4fe

    • SHA512

      59b0a184c97f463e45345d6e1637fa15c35fc78438afb48830d85936a74414d6ebe140c644533e62aa564a8e34a3f88db2c2ef19301d846b9b443aaf29c536f3

    • SSDEEP

      1536:UZFAbI7TdP7aQTssv2qf+8Dk2/qiUDtfXo3KZl7QKM90/T1Msid9Tb9NwidME:UAQR7cR8D9/ADtfXoqlk9kZtidfuU

    Score
    10/10
    persistenceevasion
    behavioral1behavioral2

    • Target

      NewRat.exe

    • Size

      25KB

    • MD5

      7f8988bca6b6c4aeb037edc818cb1ec2

    • SHA1

      c9f18fa48ee993c8c63dc1f9ea7676af6b6cf8b0

    • SHA256

      1f8fec5091344eadb2a4987f2cb76f14df27cfc820d4538633965420fac7bfd5

    • SHA512

      73c30cdbff4c11d10c9736af55bbf5a56eb58ff4cad5c7d50dffb70af41f15a7b78e8b4051b98a400af2eecbb73491288e9d4904fdafc2357b27fd53faa48682

    • SSDEEP

      768:9YJrcVXDzqAQDC+NOUwQRipk+jBCYYyM:9YJQVT206wQ6k+jBCYYyM

    Score
    1/10
    behavioral3behavioral4

    • Target

      WEBserver.exe

    • Size

      89KB

    • MD5

      b89be3ac06d28a1d04b2b5b080db77b3

    • SHA1

      7d40d6884ac368d47af53c6f3a545b83c3f61d6e

    • SHA256

      85c95670c06936b8750bed1815715b4b42e797537a2ed1e1dd0cac881b79f1fb

    • SHA512

      d679ae6c2fef72cde43fafa6c35cfc787a541dbf82c194314246067653023de2a2e1325ba6d13610866a84c9f51983173bdd7cfbb2785a2c02adbb8f7dd4f5ae

    • SSDEEP

      1536:SdUVasm9gAHGsOqujkQINbte1EGZpqX5+Ic4FP9MsJLyqTOtEP0Boma1oHXDzt5a:S2gsmbHGhqCkQINRiUsIPZLJh90vbXDS

    Score
    10/10
    gh0stratratupx

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      g.exe

    • Size

      73KB

    • MD5

      5d76063d51fea54f758b7bd6547f4b48

    • SHA1

      48c82f4b92257006e797e7021f324775bd03cc38

    • SHA256

      eeed0ae38ffb06e0589e3db0e4a2c5efb45df48ac29fecc20fe315d1b0a4cc5b

    • SHA512

      0f1b72ecd8a49ed8221431f19feb5b4f0642659cc0fc2fe6e1a17e016eb18448f54462df8470f056609f224c125027be80077ff6ff30557f79eebba4121dabf9

    • SSDEEP

      1536:saOOG6pX/zIZ1O59jzVneEuF1JXEbFyCvH+Z6JcHJx9RSWzysoL:hysMz6jzVneE0UF+ZYcz9RhA

    Score
    1/10
    behavioral7behavioral8

    • Target

      smss.exe

    • Size

      159KB

    • MD5

      b7166724d5f285a40551074a0c74fc30

    • SHA1

      d642aa85d9725694d5f35ecd3dc7d02d205ffc1a

    • SHA256

      0c5fcc6812a53de7a0c45809f9c6e3ebe58c360a46f2663692da412d0a4d303f

    • SHA512

      c8eff03211e9003283d4240a2ecf6b2165d361ede8245f25eb148c8ca2919a8b0c70e63ffbc7bb77c34c93aafe5b4d4d0ca295eb1820dee4491afb27e294cb0c

    • SSDEEP

      3072:28K8Q/9bt8pocgLS6YuGNm3uDGufKiC3Y+xHhYdAsiVxkj9C57OCFpglak3SoMrY:vQVSe+YR/gkhL+uoMrgaOUZb27

    Score
    1/10
    behavioral10behavioral9

    • Target

      svshost.exe

    • Size

      174KB

    • MD5

      322de9ce4eb1ba55c6be27bb61a801d7

    • SHA1

      7648613ec0773056ac5af51c392cd63a77c0d6a5

    • SHA256

      26b0300cec7f4598fda04ca3939981addd2ee4156f4b7a478a4fe4231d7fbec3

    • SHA512

      6a1dec1d114ac9726c5caab429bee217b015f9a0f418a588567667c90267fe07869fd7efd01d9b76b07779732ce9f86f0e368619c3cffca7c29ecda030e23266

    • SSDEEP

      3072:uCDSmJfdBv6/d5IBPBrzKx8UJEkIk6QwsgdUzMqIEtYKrTFY/LK7KL:uXmJkGBPK6UogZIEy+FY/9L

    Score
    10/10
    gh0stratrat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    behavioral11behavioral12

MITRE ATT&CK Enterprise v6

Tasks