General
-
Target
MALZ6.zip
-
Size
17.8MB
-
Sample
230327-lh7fjacg23
-
MD5
5ad5a10e0ae8eeb1bb6817c9d0cd960e
-
SHA1
ecb3ffcf79aedfa3c35c2dab0b4f5ca0f872b62c
-
SHA256
c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099
-
SHA512
05b6ee99e6843d928255daded5a699231c25275b726f68be2b67c6bfc59305bc2b2ad5ae6ab11e70ce975a3ad10e7acbb520601728d9e4b255b7891263828cdd
-
SSDEEP
393216:P7tKCblX9nuQNeyIvnpDDsIT0vyirPw9yesWcnE1zoQrq8:c6hVeyQpvsIgvyirPiKWcnkUr8
Malware Config
Targets
-
-
Target
客户端(Client)_KEY.exe
-
Size
1.2MB
-
MD5
b0aacc897731ccf1adee875390c6cfcf
-
SHA1
494182a125ce93921252c79f155d4c10db049899
-
SHA256
e182e12f86fcc70e57c6ed760c5789e6c1a08dac5b4bfb005509c1a7038e9990
-
SHA512
b3f8f4793d9b00f1015ea0f9a77a0cf6672fc700036781adf5d5e4c559573f191d4ef982e57e964f7ad107664995d6f5cab6bd20d81f9f6f592602468fab2eab
-
SSDEEP
24576:4zOhmv9L5ldZz5NLDvHvK2OZkh0y634ek4cKWd6JqjzD8E:wZHzz6y63Jk4bg0VE
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
06432
-
Size
384KB
-
MD5
9a51d462452001e1f04dd68cf4336c54
-
SHA1
594d570708fa03d0ab37a0306b38c134be90becc
-
SHA256
7b06be1d204ee0b5ebc0d4cb287133b796bb28b18414ce3b1e8d31691db8b172
-
SHA512
e89c9abca2fce011ecade9763fdf738af4b642d5bad22af9a78b25e6a229409b1cb823e446569f7d647ccdd88f6d55094bcf7f4c591951d01f72b7b6d8e4deb6
-
SSDEEP
6144:AH0cwGaZNuEtdb3usKYgoJ4o+dp5ky7aIq1/axpR9yMl0gXQYjTwk73o:AHZwBTdbFKVy+dp5kZIlL08QgwGo
Score9/10-
Writes file to system bin folder
-
Write file to user bin folder
-
Reads runtime system information
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory
Malware often drops required files in the /tmp directory.
-
-
-
Target
1.exe
-
Size
2KB
-
MD5
26162a10ad7f77d367b92ab22f8e6fd4
-
SHA1
c497c4ad6be12606c909646598b92cb9f8c7f15f
-
SHA256
9ebf4c7da32ee2a39ed57364ad5d79697dcdc7cb24d41f4bb7cc01db55f646ca
-
SHA512
c71e04b2bad4282f70b24734284f7bc2d4bd4f31484623741413c1f5706972c02088ed4470d292df4d1668f8dd7e7526e7bd937ae076d1b2eed7e0ba5de5e7f3
Score1/10 -
-
-
Target
518_2.exe
-
Size
68KB
-
MD5
4ad86e5001f11f30b6f67344c325609f
-
SHA1
4bcd6382f5d095f271f81f235d0285305a48ab02
-
SHA256
aec671efacaa95db6e4487bc2914038f80939be5889d4b313aa137ac1ca91549
-
SHA512
bbf47ebacc510575081296d8160ae8e62e9619f56192c80f9d52a38f607cfa19027cfb04e507fc263b44f77135f32454ea1da0af4cd8046ccd6dcdca2ffef434
-
SSDEEP
768:EkHn8ozagGwcfAXZq6Imvy0D6SbUtOpgAq0:E8n7Gw5p1IqrAtOp3f
Score4/10 -
-
-
Target
520.exe
-
Size
29KB
-
MD5
4757d1138e38d916bad87bfa92cf90c9
-
SHA1
06d7fd312e50eb34512c5e9ac7eea29f76c8e667
-
SHA256
0f254db8f98e6626c487e0bb534b27f33fce6c280ce77303ad356f8c1ce01e11
-
SHA512
002382b2b860657b17b15b194b160d4e6dc880ef068ac9a5733617a960e7da8afe9d33e5efe520ab0361ae2b014e049cfab1006e96ac65759c29aeec66548e86
-
SSDEEP
384:wVQPhCc4EMap5JN1VY8ianYPLI46OXBc1yoMOmFi6j:kQ50EMaX9V3ianaXBc1f3mb
Score4/10 -
-
-
Target
Drkv
-
Size
1.2MB
-
MD5
3df5c5e26e2d9fd4946c8121299cd513
-
SHA1
efaa2e397773a5eda58a68ddce1d9e17a90fdbd3
-
SHA256
a17ca067bd6f74817a0516e6083c0739fc9b9e36aafd95b74fddc84343972cda
-
SHA512
9574af57a2984065c6c348f7242533211051c5e9e03c74d6926023c64f61805b4d28698a3c77c3c33ffe33b84f0224f308889a5071bfeca3557fd58043dcca78
-
SSDEEP
24576:e845rGHu6gVJKG75oFpA0VWeX4q2y1q2rJp0:745vRVJKGtSA0VWeoJu9p0
Score9/10-
Writes file to system bin folder
-
Write file to user bin folder
-
Reads runtime system information
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory
Malware often drops required files in the /tmp directory.
-
-
-
Target
FCK_RSC.dump
-
Size
8KB
-
MD5
aabeb05e642b2f9acb86a5dc1a600813
-
SHA1
abba695b782c0e644b971b65d4dc7b8349714488
-
SHA256
8b1d4870fdc940da538f225251996794f2f10ab7fff718d1aa884be8468dcfce
-
SHA512
730fd04e4624f4db8c7c92e786148139d457c5bdc28badb3b1cbb70b61fd7b20655c2feab90c5c91b0d30f42a2d7bccb2ce0120752e223e6df2139c371b4be8a
-
SSDEEP
96:b/TFVUFXleWwunodJsFDgt1CEiRgWY3ZbBNVyJ6/xMWwWHB6KJAso9Rdtoewc:fUFXlemctwgRPNVyJ6/eWwWhlDoHgzc
Score1/10 -
-
-
Target
FUCK360.exe
-
Size
250KB
-
MD5
7ab51c2e2fdac53f3360bb5c8b73734e
-
SHA1
076d233ef06971a64f9b009c03627a491444a422
-
SHA256
8a7ad72fd6d3936ea3ad0ecadc063b382c6f0f8ff65b4839df1f3169f0135216
-
SHA512
35a6247f16a0295140782d0ea73754a37aafa09ba62d1f2be0a822d7f1b548921bad94b563ff16f1c817060544560f3c66856f0a85862cdbdfd85e29462abfee
-
SSDEEP
6144:XaLSyXt5iZ6hyebe81XrTE4/Cw5E2XppJZxA:qLtyGe81XU4rttQ
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
GetPass.exe
-
Size
52KB
-
MD5
d25ab00267a9da1944bad9e1115ad428
-
SHA1
9470006b8763054e14d0e4708a3708e490cacfe9
-
SHA256
07fc745c29db1e2db61089d8d46299078794d7127120d04c07e0a1ea6933a6df
-
SHA512
a5906883361a4ce9ee6e3556808f886ee05e84063bbc7e394a33463767e8670eba5cb9f76abef894fcd8607eb3d197ef69e321996246c1f93d463748aaacb206
-
SSDEEP
768:Feizs4ulZdVEUHw+0QcKbUyQV8gmDzQn3pVok:w3vpHwPQngyOWDCVok
Score3/10 -
-
-
Target
HkMh.exe
-
Size
332KB
-
MD5
1cd12a8269d6ed7af46c6d82dbf0db28
-
SHA1
cf47e4ce299999ce9b584e29f29cd3942d8abf27
-
SHA256
83e96c76e59b2d12849e2f92306c76bb90687194326b79546ac9ed2a1d8b6162
-
SHA512
20106eba738c1e0ef1f544879b4036b81cf19aba8c6d581aa6c546af68c819bd7f283138ba9fed55f82feacfcb4c4dd4ba1e0b5af8bf8de481444292109a9baa
-
SSDEEP
6144:xBcBaz+oA9IxnN8veMdpRTAZbl/NMe5F+/fAsluDXKVBopxC1rUniJ734maajc3A:sBaz+oA9IxnN8WmAZbRNZOAy3BUHniJX
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
-
-
Target
HkMh_2.exe
-
Size
226KB
-
MD5
6d5aeb2b084f4fcc5defcd584953acf1
-
SHA1
56513de25668afef7ee860fec5934d7820a9f1f2
-
SHA256
1e3c843183830bb4c4f6078e866780b19f6967fa200d809998657f184934998d
-
SHA512
44f75c3f346d8de8911673ea75ebbdcd54a574b907cb5437ba3f457f487877b33f4e93372179b59e66ccf34383f273298c28ff4e0b6a1fa6cd4e030c84e308bb
-
SSDEEP
6144:bCahtHLoObzXYsWWYbEqaMyveyjV+nByskr:bNYdbgeyjwyr
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
HkMh_3.exe
-
Size
176KB
-
MD5
0cae2144249cca11917ce26657fc0281
-
SHA1
e7ffc36c62c26e987c6954e4739a306a95d119e1
-
SHA256
5fa749158a4dd5dd030bb97a5ca74a542ae4661b2a76ec69b29d41c3a32e8767
-
SHA512
50c5ea18407b74fc5d741d602c87a28c0bfebb348a8ff1710026951937b1e9077a353ee0b9bf2eb648b83a60e34a5e934d8b95c1b7e1202933aea875e6975027
-
SSDEEP
3072:MBFDC2a8kkalMLmNTMeN1vT72dPxIhf+5HS5LTbl2NBX9ZdebJR3u:M/inHlN1vTyTIBEHkTbl2zn0bJR
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Modifies firewall policy service
-
Executes dropped EXE
-
Drops file in System32 directory
-
-
-
Target
Killbash.x
-
Size
338KB
-
MD5
7622b6a703b61b767a8f15fe24801ff8
-
SHA1
d987be4df6349f1ed7934b4e0154ce743bce863d
-
SHA256
95fb9e93efec22c8426f3d557a0c353ff63aa323f42180ecacdf9cd7cfe4c5aa
-
SHA512
e950f0eb8b971980342f889b36b2794b883925879e6a8105c1179e9b99492006f324f0aeedc62f77ed7ca8a0cf13c99eb7b6a2e38f4e6bd41e511ac38143fa00
-
SSDEEP
6144:wFE15RyBAwujPOjS7624nLqFLof5cAw+l0qbRQ2Aj4qewO3TjC45:jllGSWlnLIoRcAw+lFbSsve45
Score7/10-
Modifies init.d
Adds/modifies system service, likely for persistence.
-
Modifies rc script
Adding/modifying system rc scripts is a common persistence mechanism.
-
Reads CPU attributes
-
Reads runtime system information
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory
Malware often drops required files in the /tmp directory.
-
-
-
Target
ShellCodeDec.bat
-
Size
74KB
-
MD5
381744f92d0d5fc08efad4272d334474
-
SHA1
f4152e1d4498023c6377092b79a6746f19cf7c60
-
SHA256
3c5b9126bc245f99f4d89ff7871af4f333f92405ed40e197aa8314b2644c1e6c
-
SHA512
ff5d6a7f9a86a32cfb36647b501ee0391014f2a8f648eb75fab702581454f2d7668f9f592903765ee17d0897202f5114538ab16b237059f1c9608bddfb955b08
-
SSDEEP
1536:sg01tN3rHoLzvODn5qchGGxfP361DssRfAQ:q1ILDcn5qaGGhP3614sRfAQ
Score1/10 -
-
-
Target
TSmm
-
Size
31KB
-
MD5
9a6841cdb36f21d523cd346975bbb7c9
-
SHA1
69f5a3bf605c513ecb0a67ed8f4f5aff9d126dd8
-
SHA256
8c22df5b0aa0fb2cd4ceb88f905383508ce5bae4ccf422c061ba0a1cf7802ce5
-
SHA512
cc2b2ed0262c222df74f3fd8c2a132628d87b9d203fae2ab3c8570e281985f597bff2cbd8d3920f00f24acbc418fb00d1f1570087ca2bba6167ca587febf353c
-
SSDEEP
768:onP9R7JLjULRm7oKYNEfOVmXVtje7heNcfb5:69D3cD6WcFtC7h51
Score1/10 -
-
-
Target
Trustr
-
Size
1.5MB
-
MD5
8e300a75d4dc0bb5ad7ca16f3b982c4d
-
SHA1
acb3a0014a41c7002507281fa203051c2bfd6df7
-
SHA256
0e6b7297e0d268689c958889a39733a7367e6836eadd82c475f577f26b64d7de
-
SHA512
f0f5b84911bf027b2af783d10b23e2711a43fa7492dc7058d0a64bc109f06ed5f4f32c82bea73861c3786956783c7bd73cff5d1c359729a1a672dbb5312c725b
-
SSDEEP
24576:hNJp/2SkgT4KUAopmhDO2Aan9XgnU6tZAf4Nzbm6g+qF2SdYOrhGG+bL+cH8y6LL:hNvOx/Vp/2bn9XgnNtmf28rhpbccIwhL
Score1/10 -
-
-
Target
UDP.exe
-
Size
31KB
-
MD5
161f6beec09cd33d710f8f97365ee6f6
-
SHA1
9c408d1b53a1d03e8c7a3f85e050870f3d9a741f
-
SHA256
f73a89b6a5c42d21ee4f7a4d79ad784cdfd896bbe2453b60cf9688786f7a9d98
-
SHA512
e9f2afd6ad8216fa0f34cca29ba4d8753a03b187f4e9c29a0607e9b2ad932b788cb9a75db54df0db522e2a20d54a12992ed2396f40f06ab8cd76a89bcbf1e6be
-
SSDEEP
384:+ubvs5ed2wcTZr5bDDOp61lpHwdkJAqJDPHYM:hshb9r5b3Op8lVbJTJwM
Score1/10 -
-
-
Target
a
-
Size
1.3MB
-
MD5
84839072ae06ae3e47d93f3b79067305
-
SHA1
eb578777ca88dcaa72cb9b22720618b2e3aa770f
-
SHA256
dd77459b8d76d9be75dde3f2aa8e8434b266bc98acd15966c6ae65a6620b10db
-
SHA512
3b004be47b8aef3ce9ee821d267ef4e36dfb2a17bdbbf8630f24f119f3ad26c862a79a1e8afafe7e98422479eb58dd8b2ee5c644d3aef84f9bb2eab991f878de
-
SSDEEP
24576:X8BHnVsZc1VZneCEuvLmJ7p9fomAmgAspprQYlGtmgmH1LJSwYS3uJdE0cG/v5FH:YHnVec1VZnezuvLmJrfvAmgAspprVlGR
Score1/10 -
-
-
Target
arm1
-
Size
977KB
-
MD5
cb75be331a7b5cb54bae9db9f4ca643d
-
SHA1
789ccb024361d7a4911dfc77bf1c93442491c3c9
-
SHA256
8366aea8087a354cbd178f920770b35d785f988ec3649bb7e282d1e3272a6b77
-
SHA512
d16e503bb8434c324976747b9f90092fafdaafcc877c588b18c8d1c14c9d813552389dea496a1b2cacaea4e2ebfdec6a630c68e44c645d1a25da9076e6f4c32f
-
SSDEEP
12288:erXiRPpwBSHJB2A6f13P5D79dmuxlNzJs4dm3yxiD1WjfGAIFDFvyq766Pd8YTQ0:jvwlP5DJdrRJsskWU5RPdg2ByWwK3R
Score1/10 -
-
-
Target
bj.exe
-
Size
378KB
-
MD5
a770ebf2e59e29c7460a01241a0a493f
-
SHA1
97e59e483e1fa524a305828157a50203e918ada9
-
SHA256
ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
-
SHA512
4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
-
SSDEEP
6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Bootkit
2Hijack Execution Flow
4Modify Existing Service
4Registry Run Keys / Startup Folder
1Boot or Logon Autostart Execution
2Defense Evasion
Virtualization/Sandbox Evasion
2Hijack Execution Flow
4Modify Registry
5