Overview

overview

10

Static

static

3564f5989a...02.exe

windows7-x64

10

3564f5989a...02.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    3564f5989a28c05643a17d089729266374968f93055cb5f597a8970ff121cd02

  • Size

    12.8MB

  • Sample

    221127-nhmggagf2y

  • MD5

    2e8225c338466a96ece2724f4e283486

  • SHA1

    9ce3bbfb28946135c74d4cca1e6f6f795d0bef09

  • SHA256

    3564f5989a28c05643a17d089729266374968f93055cb5f597a8970ff121cd02

  • SHA512

    49e252cb482f5b9d22322adf93384b419e28ecaa9a145927cc2445137a5e90eeb4d7ca36672f5125e318c0e3d3c2e693e701c3168ab37d43c8da2d3cdbd5b8c4

  • SSDEEP

    393216:opgl/I3hCRd6w0mSmG5fcDacjdQkvMe/5r7vm:rAad6wNSmkfIacjdpJ/5r

Score
10/10
gh0stratpersistenceratupx

Malware Config

Targets

    • Target

      3564f5989a28c05643a17d089729266374968f93055cb5f597a8970ff121cd02

    • Size

      12.8MB

    • MD5

      2e8225c338466a96ece2724f4e283486

    • SHA1

      9ce3bbfb28946135c74d4cca1e6f6f795d0bef09

    • SHA256

      3564f5989a28c05643a17d089729266374968f93055cb5f597a8970ff121cd02

    • SHA512

      49e252cb482f5b9d22322adf93384b419e28ecaa9a145927cc2445137a5e90eeb4d7ca36672f5125e318c0e3d3c2e693e701c3168ab37d43c8da2d3cdbd5b8c4

    • SSDEEP

      393216:opgl/I3hCRd6w0mSmG5fcDacjdQkvMe/5r7vm:rAad6wNSmkfIacjdpJ/5r

    Score
    10/10
    gh0stratpersistenceratupx

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks