General
-
Target
a66c38035d394ce272d2f356eebc429e503c0b988bac57dba33b182c08ef2930
-
Size
36.5MB
-
Sample
230502-v3d46abh27
-
MD5
aab4166f8e40c18fa53b9a1edc55767f
-
SHA1
dd8c8fb361faff1f550c13f602a068b240722752
-
SHA256
a66c38035d394ce272d2f356eebc429e503c0b988bac57dba33b182c08ef2930
-
SHA512
3759eac6127e989d038d98bc025e8471dce419979305bd0917eecba8f4254fbf82f57ace0a98ef8b3e765b77c938c713c20d546a2d2018babc0af751b9e8c1ac
-
SSDEEP
786432:HSLw+g0CJJztx2QI1cSskMMO8ZE8oTdF6MQyNhK:HSL/PCP5pISSslC5o5F6MTfK
Malware Config
Extracted
gh0strat
43.249.29.131
Targets
-
-
Target
a66c38035d394ce272d2f356eebc429e503c0b988bac57dba33b182c08ef2930
-
Size
36.5MB
-
MD5
aab4166f8e40c18fa53b9a1edc55767f
-
SHA1
dd8c8fb361faff1f550c13f602a068b240722752
-
SHA256
a66c38035d394ce272d2f356eebc429e503c0b988bac57dba33b182c08ef2930
-
SHA512
3759eac6127e989d038d98bc025e8471dce419979305bd0917eecba8f4254fbf82f57ace0a98ef8b3e765b77c938c713c20d546a2d2018babc0af751b9e8c1ac
-
SSDEEP
786432:HSLw+g0CJJztx2QI1cSskMMO8ZE8oTdF6MQyNhK:HSL/PCP5pISSslC5o5F6MTfK
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Modifies RDP port number used by Windows
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-