Overview

overview

10

Static

static

10

123.exe

windows7-x64

1

123.exe

windows10-2004-x64

1

360sb.exe

windows7-x64

10

360sb.exe

windows10-2004-x64

10

7000.32

ubuntu-18.04-amd64

1

7000.64

ubuntu-18.04-amd64

7

Linux577

ubuntu-18.04-amd64

8

Mh.exe

windows7-x64

7

Mh.exe

windows10-2004-x64

10

Mh1.exe

windows7-x64

7

Mh1.exe

windows10-2004-x64

10

Mh2.exe

windows7-x64

7

Mh2.exe

windows10-2004-x64

10

SETUP.exe

windows7-x64

SETUP.exe

windows10-2004-x64

TX98

ubuntu-18.04-amd64

1

TX981

ubuntu-18.04-amd64

1

TX982

ubuntu-18.04-amd64

7

TX984

debian-9-armhf

7

TX985

debian-9-mipsel

7

TX986

debian-9-mips

7

bjyk.exe

windows7-x64

10

bjyk.exe

windows10-2004-x64

10

ceshi.exe

windows7-x64

10

ceshi.exe

windows10-2004-x64

10

ddos.exe

windows7-x64

1

ddos.exe

windows10-2004-x64

10

dhl.exe

windows7-x64

7

dhl.exe

windows10-2004-x64

10

mh3.exe

windows7-x64

7

mh3.exe

windows10-2004-x64

10

server.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malz5.zip

  • Size

    12MB

  • Sample

    230327-lpmppscg42

  • MD5

    1468c1908845ef238f7f196809946288

  • SHA1

    62f0bd56b0e1235b99940b34916c19ecfac8e80c

  • SHA256

    438e44aae94e8376d2e36e23212920e936b7517bca24eaf66e9d7d014e21552c

  • SHA512

    83d65df17c88a4cbc64c6fe4d5e064850aeb3cccba2eb5097d3385f4195e1b94a374528e0a6b92f7ad1db2c78bb7fae3c0e563a2a828f5f8ce0459eccd72b496

  • SSDEEP

    196608:NllU8B3ffcP4fQ74RGBP91vnbcMlB4mVgGj/oRPA4CbyrE2C2+QQnr1Gh922bkHy:TtB3HcPEwpBPTvbtVfcq/yzR8Bt2aT8V

Score
10/10
gh0stratbootkitevasionlinuxpersistenceratupx

Malware Config

Targets

    • Target

      123.exe

    • Size

      60KB

    • MD5

      07b3c7c475a0204f34408d806a4d0883

    • SHA1

      72da95ef18d46b5ff6f75c90da29d294e8e755cf

    • SHA256

      457bf2d5752e50d343a655993e9f308a616f4123c5fbebbc369f12c49bd502b6

    • SHA512

      4c57ce6ee744227219cdfdea5e67efe605c62d7ae99233a9b886bdf0144c70f0317be3ba5dd01c097284c3c86e7005165b9d74ef43fcf28d8d5fd34717c0f1c2

    • SSDEEP

      768:5blRLS2f/IbhNGgkqUpbj3Pl4SSbUtkokv9N:bBSI/UGg6P326tkokf

    Score
    1/10
    behavioral1behavioral2

    • Target

      360sb.exe

    • Size

      74KB

    • MD5

      ff3638137bdb13438ae78bdb295fb74d

    • SHA1

      d1ff58701713d307430fd061592ecea3c1cf4e6b

    • SHA256

      61e5303a9e3c3f0b5c70749c4ea2d619f3b5bae341189eaff28393f337113fca

    • SHA512

      dc87de3bb1689bea6409c33b2af420f8274d4c36862dfe79b98b2195c72057e76a0222aa3c61a144e6927a0bbe5a3a95afe4df430a342f35ba1c7d5c6fda339f

    • SSDEEP

      1536:aunpULRX92uqnsRDwdQW3YBlCOCbZawM:aunyLR0z3QOal/CbowM

    Score
    10/10
    gh0stratratupx

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      7000.32

    • Size

      272KB

    • MD5

      1a2ca76f4c05df6ff90be02108f36759

    • SHA1

      518ceab47c71ea46625e64d1e342476dfee85985

    • SHA256

      5647a07dde1da4334e6a311519ee08ea1ac2fb6ff0841e81a2bd6053b6b59062

    • SHA512

      6340ca6862b4e22660748110da46227be889d7718242dcf0f9df9ecdce9bef5b9ff66b5bef0437813a73355ca1344408dd92c703ace821036578921f1c06c2e8

    • SSDEEP

      6144:+1FJI4kHXz3ghDymssoxTAbDcG3kj9M5apyFMMX:+1/0Gu7saocG0j9M5kMX

    Score
    1/10
    behavioral5

    • Target

      7000.64

    • Size

      710KB

    • MD5

      d80e1546a194e42f049b1a15287aa4d6

    • SHA1

      980f2d902a250cd3298e2acf45bfbc31044cd8f5

    • SHA256

      7bce4673ac5b7db9bd5d27076c770925c181745b784f806024413a3b5552eebf

    • SHA512

      24501f6bb75078ebdb51999ed32ec1cea6ad57fe27dd48e12066de65dacf8570d0f875c79b9734f844f60042ad8c806d8293f9a92ee15d59fd9b68a50eec8a49

    • SSDEEP

      12288:ZIlddxPHCo90S9LTXIXs5im4MkQbSJDTdx4Is//O1ScnBM:ZI/dLTXIXw4jQb+Tffs//gScS

    Score
    7/10
    persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Write file to user bin folder

    • Reads CPU attributes

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Enumerates kernel/hardware configuration

      Reads contents of /sys virtual filesystem to enumerate system information.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral6

    • Target

      Linux577

    • Size

      474KB

    • MD5

      9e96170c07c1566ac0d9d7b93e7928d1

    • SHA1

      f762afafa8bf6b694bdc0bf00d8b4caa38d96ddc

    • SHA256

      825cbeae503c8d9f4ff8a55d14042e83db220f4ed428e57b57fc48335d09f359

    • SHA512

      e042b528351ad9f32fe37d60bc2b45bb7b7b2cc60c59a10e8eee00a4417c53afa55803f0e9e1196aad912f0b881cfe627dad38802181a0d447b80985344cbd55

    • SSDEEP

      12288:Cd3IH4kbsBnbOXzFOS4NhgvMfA5z5m9NO554UA+:Cd4H4/OCI16O55h

    Score
    8/10
    persistence

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral7

    • Target

      Mh.exe

    • Size

      410KB

    • MD5

      6b6fa473cd53b3b1d20fb7d0d7d94dd2

    • SHA1

      ac8682258ec2a9556c5b06dac4b70aa7f408146b

    • SHA256

      e4a5f740683ce26d8312c336e1a2d50aa5b56efe61fc793ff3f9dc08af2da30d

    • SHA512

      59a132a04c621aad34c2130895e1c33f8a988a1d400b91ab712c4058ab6fefda698d01f395dd88f15cc8382f6826eee6550296b00981581a5b8abb10682fe9b0

    • SSDEEP

      6144:66a0cy+o0eBYJw2acFyuItrcF7Faf3DROwunbNvTr:7XP0pJvacFyuItgZiTROwuxvTr

    Score
    10/10
    evasion

    • Modifies firewall policy service

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral8behavioral9

    • Target

      Mh1.exe

    • Size

      410KB

    • MD5

      0c80a0ef434aaecd6b1c888567935b97

    • SHA1

      ad6730df896f7bb0e4379b8ac543c704f70f8292

    • SHA256

      bb7850028720aace62daf55e8ba0bcf0b1040ebe20f3035873e9fd7130ced767

    • SHA512

      7a8b601b6d027c0f017a620aa117c7183c05170aa6f90c4a2a177ad82b938f00b181007d69eea128b4ee738b2397a2448e2a33801daa102bfdf2b39f1917e6de

    • SSDEEP

      6144:4ta0cy+o0ecIJw2qDukfgpFyuItrcF7Faf3DROwunbNvTr:eXP0yJvqDlQFyuItgZiTROwuxvTr

    Score
    10/10
    evasion

    • Modifies firewall policy service

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral10behavioral11

    • Target

      Mh2.exe

    • Size

      410KB

    • MD5

      c4fdfaf0caa9f98856f2135407025b7a

    • SHA1

      0614d4a3db2045374c8308b84ad6864dd6db5869

    • SHA256

      c08823a1d6ddb98b4ffd6488e8fb282c371ba4c30336770ddea7be50a33d4229

    • SHA512

      903221846dc5498649af5a167ad1477d93007ce344c7de2399c3dd2489def93348637e08f6e03398e7f247b249b04e705b45f7123573fbf00f4b062b6899294a

    • SSDEEP

      6144:SKa0cy+o0e3IJw2KpiBo+R9/21TkeVQVqOAh2/qIqUk3oGvNo:zXP0/JvKp+hN1bVqFh2rJYo

    Score
    10/10
    evasion

    • Modifies firewall policy service

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral12behavioral13

    • Target

      SETUP.exe

    • Size

      193KB

    • MD5

      920a14447a82c7b020501af6fe8c88d3

    • SHA1

      bf3201d891dd6afc2a787dae1eae6e396af72c33

    • SHA256

      0c273dfdf2af911e189997b04a9b76c48fcfe14fc07ae0fbf639618d2887cf7d

    • SHA512

      bc365b6d5e961a06167e325a1193aea0239f56791dedbd13fb6d8c4d18736c5912eaf84683c5750f736017a95b09de2082a74f813a8a045f1d13eab546f0327a

    • SSDEEP

      6144:mN2g1pIizw29kUhIOkk/DkzgsuIPDkzuJLie:mA+pL80/ozhvvie

    Score
    1/10
    behavioral14behavioral15

    • Target

      TX98

    • Size

      83KB

    • MD5

      5ba66307564858dfaaf671c78e11f37d

    • SHA1

      45fb2fbd1eb2d53a0c71c2d5fb0397711df99e54

    • SHA256

      0468b78c9eef6bde2367717d38347af54fce3df871382789cfb3780fc2731543

    • SHA512

      e7edabc9060768d875f7dcc98fdb4552a8311d0c1ad408a70e7f67c7c6b0d15a1ea4e002fe92dc52f0379417f941169683e3922b788783769eef0b8310bf4051

    • SSDEEP

      1536:lCudpNeZUCBis65ifKnVsrTvC/LMpDLul4b2bQHb3S+aHAdnwU:oyIUAi/5/yCTkDNqE7i+qAB1

    Score
    1/10
    behavioral16

    • Target

      TX981

    • Size

      4MB

    • MD5

      0874f1d99a37f34bb154013bc827bc3f

    • SHA1

      ebb072a3c4ed3722f4649d490593d3c1e7dacd88

    • SHA256

      da1dc452102758781c6a5a9f48c650e8efa745cbaab050f30c14e7b558946efd

    • SHA512

      9552292a2d588969fd9a035a1946ccbb0f4c4ae806ed8faacb98f52e2f9f1395e9c65f2976751f393a46fbee5184316b072bae3517d915fa0bf5fea72b12a722

    • SSDEEP

      24576:OjTY+ufmnFLLk53fRlLpipTBwLPwlrc4v6nka:OjTY+ukvkZfRlLgpTBwLPwljCn/

    Score
    1/10
    behavioral17

    • Target

      TX982

    • Size

      1MB

    • MD5

      bba8b35378fe7872ab2b5026f12b5e72

    • SHA1

      17d52f40b6cd116e81685beb91bd0b14dd9114f2

    • SHA256

      97192a841a178aed607674f7bf457cf53ce025571fd47da842d3ffd0ecf4d4f5

    • SHA512

      d97a98093e55de5c3eca87a8e17fa8d13e1240aae3ef4634674e5f66a4f5eee91a27d2f6491e45e474f75a1e9740c31ecf94cfef3de5095fee418e37e15431ee

    • SSDEEP

      49152:bNihhOhBNhKhyu7cYx9z2rAnKsfROaFyZB5Ss5+Nu:5ihhOhBNhKhRwwJ2roMaFyZB5Ss5+Nu

    Score
    7/10
    persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    behavioral18

    • Target

      TX984

    • Size

      977KB

    • MD5

      fdd1c9ad7f04868d4bed04f8708bec5d

    • SHA1

      bc49a05e5a38ca2a9b0e0ef99819a8ff833b378f

    • SHA256

      8b5355748604150f8ce643305878c0d35e33a59bdcd25de9861497557b972359

    • SHA512

      3436b51881e997d38c271224f868aad2b5d11fa262c986c12ec75c70f3667742673f99386f7052df2d036ce2dc5efbd0fd5d51049dcb0589a7f13fadff81c205

    • SSDEEP

      12288:erXiRPpwBSHJB2A6f13P5D79dmuxlNzJs4dm3yxiD1WjfGAIFDFvyq766Pd4YTQ0:jvwlP5DJdrRJsskWU5RPd82ByWwK3R

    Score
    7/10
    persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Reads CPU attributes

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    behavioral19

    • Target

      TX985

    • Size

      1MB

    • MD5

      5ab68ecc6f6262c76fc1875972a508dd

    • SHA1

      dac088cc4ef5377efcf81a325c8516e71a792672

    • SHA256

      aff22363942228229a1b40a4581f5e0593714d553ed5f2ea7aae15612b28142f

    • SHA512

      e0837b8ec1632bc3493d79236dba2bca402f1d77e5ad9814c5df6f8b59115f69b71189a8d345df0ad32ed01e78ac3d151741643669ddc23595d9f74b7b7731d3

    • SSDEEP

      12288:v0gZjw/mGyri7g8Nyllxm+KYCy1aPrfWf47b/d+qdeaQklaHhmM7tL+GSPlXJZru:VETLPAFHcMJ6l5ZZVt6Ai3YKhAxtK

    Score
    7/10
    persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Reads CPU attributes

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    behavioral20

    • Target

      TX986

    • Size

      1MB

    • MD5

      8adfc3cc5e225440684e74b7f7994933

    • SHA1

      fbc72c5bc436a7565d994886e238b80731e373b8

    • SHA256

      746fd8e299a5542658c051d08765f327f3c3e48248698a29cf57f151a282b157

    • SHA512

      e9dda159470640c11a6832f8d6be355d90b32c9c1fa7b938b47fc37fdeb459ccb17a8edeed8e0c065f107c7b04eed4b8dea5290543564a7732d3ae8c4c57acfa

    • SSDEEP

      24576:qsFkPsgRseqq7s7L23vHkF/CZ5lfwNjcpzdmMqMSjG2oedCp/mpyS1tFhextK:leLsL23vEF/CZ5lfwNjcpzdmMqMSjG2F

    Score
    7/10
    persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Reads CPU attributes

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    behavioral21

    • Target

      bjyk.exe

    • Size

      377KB

    • MD5

      ca7c977b5b315dd62b0189f2619764db

    • SHA1

      42ce52b22e5017990660148ba6c5ff0097c5af01

    • SHA256

      c6d90ced12fb16ca9ae112787ce6d29379b06e0ba0a90595e337c07453a571fa

    • SHA512

      b7be48e4c7ca12e0059a6b0064eaa8e8c1f4bbd7ed62c2a34671a5875ba25715b45b780d54e58f5429b2cade56244f6a820a46c0a45b0f7e9d4567213a499427

    • SSDEEP

      6144:xsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90Q1vPjrVCTH3mwVaYo7/8FaA/:OtWUzJq8YPbncT3+vXPjc3xVaYo7UFyO

    Score
    10/10
    gh0stratbootkitpersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral22behavioral23

    • Target

      ceshi.exe

    • Size

      303KB

    • MD5

      3ddd0fe1b5a21d08007805185072bdd0

    • SHA1

      174d3667b9f266b139f5892c961e7609a6134d79

    • SHA256

      42676dd65d1dbd81f8f8e751790b4412c5a179feb7edb5460cf230463f141299

    • SHA512

      2b633d6be693f46ac07e17c43a7389655e7e7e0ded027e9a82ca120139e0e44c68d1f76b32e34501bb9d4d3dcc9d44997c2803999b9aa1f2fec8f531464fdd9f

    • SSDEEP

      6144:rt8nMnJqNMFSTLeYVvI8vw+Ie51BMz3VolJXUVLAW5w7wIAsKCEc4YgUFk6Oa7HS:doNMsy8I6KFojXUaWQ5KCqOvOaJt+

    Score
    10/10
    gh0stratpersistenceratevasion

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Modifies firewall policy service

      evasion

    • Sets DLL path for service in the registry

      persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Deletes itself

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral24behavioral25

    • Target

      ddos.exe

    • Size

      38KB

    • MD5

      d68ab23225bf1388a7a16963356a87b6

    • SHA1

      09ca273cdecf55b67eb20ced2e11a64b52058044

    • SHA256

      3e20b4ca4fea293b596c23328a06207c301d135774e461ff5c5e7b84784ffd47

    • SHA512

      ae38756fe73206ec9fdbd4b1c8e57c6e880630385bd5fab2e57ec3f61eea4f3a7d9aa58c8f593eb68d8a6c5df116e24a19f7bdc771d7d97eec7f7cb602d9f234

    • SSDEEP

      768:mACSpftPzWIYHqfwyk0vsYRG3IUlcV0njosBRtmwOZO4KaAtGB9wMCC:mXSLiIask0vzA3IUlcVIjLB9nMD

    Score
    10/10
    evasion

    • Modifies firewall policy service

      evasion

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral26behavioral27

    • Target

      dhl.exe

    • Size

      311KB

    • MD5

      1170aaabfc50ba1d8afd2bdd3fde5e33

    • SHA1

      a345658edc7df429c515bc949d45661c7446136d

    • SHA256

      022600b997847cb9795b58cbef8b1058760d3037158f1d8890825f20e3f8745e

    • SHA512

      333c8e2af8f7b845abd897cd7d86ab68545ef2bddfda6f24216aa7fffeb39594756a666500fa3495205505bb485e4659c9e66f3c639d34bc12cf929b00950ea6

    • SSDEEP

      6144:eKYOSlWhmtC3G/414qs8Pz5Trd8Coc1O9gRyBDqP6K0Q0wKnL:e1/WYtwG24Qp+oOGROrK0W0L

    Score
    10/10
    upxevasion

    • Modifies firewall policy service

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral28behavioral29

    • Target

      mh3.exe

    • Size

      361KB

    • MD5

      e48e887d5308de6e88b0edbcf0c05664

    • SHA1

      b78c4d499717346c6da33f9d2a884aaaee74ebcc

    • SHA256

      e18bc151f005b441f6003b4fc096583c8e4f312bc6439ecffc91b190d73171a2

    • SHA512

      5068add9bf1681ffb27c9e4867f80fe4ee484a3260b12c501988caaed1ce0876e295e1809b81c47bf2be4994d2e10728b12f84a3e84a212718a0fbc816cb68f7

    • SSDEEP

      6144:VLTG0GxC/dijE8O1udvvFsueJ+kXpJdkDStVvXGxcS985NRW1W:VfG7ggEN2Vsum+2pJ2YvXGKHW1W

    Score
    10/10
    evasion

    • Modifies firewall policy service

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    behavioral30behavioral31

    • Target

      server.exe

    • Size

      333KB

    • MD5

      44283b85db8476e3dbcab39e644a76bb

    • SHA1

      afed9e102d07782074a63b8f5fae6ac0ee96ec1f

    • SHA256

      5e213f963cb6c381a34388e9d66456cc044c395d4921440acb9d80a9625803b2

    • SHA512

      a5f5dd9ac7116971c65ad376d31b463d0b44b6cced3db08593030eb8ccd64e1fefa1f2c0531004dc347407c2f4f8090bab860e6485f91c3a31eb49b44df78bdf

    • SSDEEP

      6144:EgiFIfdAcDJiMm02wKURWl3I+q4NqBqAG:ri2dTDJiMmRvUROI+q4UBqAG

    Score
    10/10
    gh0stratpersistencerat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral32

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

9
T1112

Discovery

Query Registry

8
T1012

System Network Configuration Discovery

4
T1016

System Information Discovery

14
T1082

Peripheral Device Discovery

5
T1120

Execution

Exfiltration

Impact

Initial Access

Lateral Movement