Resubmissions

29-11-2022 08:31

221129-keq4pscd47 10

29-11-2022 07:31

221129-jcd6pacb6s 10

General

  • Target

    06958f1b31d88752a1ba9b11b19424a2.exe

  • Size

    473KB

  • Sample

    221129-jcd6pacb6s

  • MD5

    06958f1b31d88752a1ba9b11b19424a2

  • SHA1

    498359f2df703ad8d6fb0a897d306736096ba7aa

  • SHA256

    d4989fbd8ab2cd81f7e882649dcd1cf1c27b48a7e1895538d557469b307571d2

  • SHA512

    8e00fc9ca52551c47244372b00d8b624d049b7abe301160bae599c561f9960044218cb9d6f74ed177ec149220bca45a1d70ae397bcd251fc438a9808b08db2d7

  • SSDEEP

    12288:nsaY8revhYIOyzGWIyr+VtivWByO/c690YWLF56KID:B/repYIOyZ+VtS301uNv0

Malware Config

Targets

    • Target

      06958f1b31d88752a1ba9b11b19424a2.exe

    • Size

      473KB

    • MD5

      06958f1b31d88752a1ba9b11b19424a2

    • SHA1

      498359f2df703ad8d6fb0a897d306736096ba7aa

    • SHA256

      d4989fbd8ab2cd81f7e882649dcd1cf1c27b48a7e1895538d557469b307571d2

    • SHA512

      8e00fc9ca52551c47244372b00d8b624d049b7abe301160bae599c561f9960044218cb9d6f74ed177ec149220bca45a1d70ae397bcd251fc438a9808b08db2d7

    • SSDEEP

      12288:nsaY8revhYIOyzGWIyr+VtivWByO/c690YWLF56KID:B/repYIOyZ+VtS301uNv0

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks