General

  • Target

    cd125f42a87398f24569fb65fd7cf6c1e272196ea782e13bc207e33aaa2dbf1c

  • Size

    591KB

  • Sample

    230608-x6bvbahg42

  • MD5

    32e9699100ac0200046884edb0aea816

  • SHA1

    0005633286db9638b353b16d35cce77ac0529d07

  • SHA256

    cd125f42a87398f24569fb65fd7cf6c1e272196ea782e13bc207e33aaa2dbf1c

  • SHA512

    aed0d037f4aaf01610c0cc67a1cd4788492bb7fcbddff7a653b6bcb3ffcb8535bc734cef3c4997e5ca6809b0c44b8c49bf45534ffef78e0d557db3e2d6814c85

  • SSDEEP

    12288:Zf4nVTIxh3lkVcPVJle2f4VIgKwzUhg/tnDuJ+oz:ZwnmaVc9JMW4VpKSLtDuJR

Score
10/10

Malware Config

Extracted

Family

gh0strat

C2

125.77.168.42

Targets

    • Target

      cd125f42a87398f24569fb65fd7cf6c1e272196ea782e13bc207e33aaa2dbf1c

    • Size

      591KB

    • MD5

      32e9699100ac0200046884edb0aea816

    • SHA1

      0005633286db9638b353b16d35cce77ac0529d07

    • SHA256

      cd125f42a87398f24569fb65fd7cf6c1e272196ea782e13bc207e33aaa2dbf1c

    • SHA512

      aed0d037f4aaf01610c0cc67a1cd4788492bb7fcbddff7a653b6bcb3ffcb8535bc734cef3c4997e5ca6809b0c44b8c49bf45534ffef78e0d557db3e2d6814c85

    • SSDEEP

      12288:Zf4nVTIxh3lkVcPVJle2f4VIgKwzUhg/tnDuJ+oz:ZwnmaVc9JMW4VpKSLtDuJR

    Score
    10/10
    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks