General

  • Target

    02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43

  • Size

    580KB

  • Sample

    230609-yawqaadb74

  • MD5

    87d748a0ae1ec45b8ace9a2ceb6a3766

  • SHA1

    e7d124c1b12e65d52f72f808731b3f0184a6ce10

  • SHA256

    02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43

  • SHA512

    02ea5c169f831955fd08769261fc04ab7c20fe7c53d41a1d3044323c6353d6cd41a36a8576688fcff2e540d245adaba7fa70b9180f1027b94fc59d413c5fa5eb

  • SSDEEP

    12288:I13jViY02vmO1oiRFr2vFrajw5Gc/kqO:QiY0+mOjErC2xcqO

Score
10/10

Malware Config

Extracted

Family

gh0strat

C2

125.77.168.181

Targets

    • Target

      02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43

    • Size

      580KB

    • MD5

      87d748a0ae1ec45b8ace9a2ceb6a3766

    • SHA1

      e7d124c1b12e65d52f72f808731b3f0184a6ce10

    • SHA256

      02381c7510b4e59bc538785db36a8e10a04179911919d3aee2f49c6546d33c43

    • SHA512

      02ea5c169f831955fd08769261fc04ab7c20fe7c53d41a1d3044323c6353d6cd41a36a8576688fcff2e540d245adaba7fa70b9180f1027b94fc59d413c5fa5eb

    • SSDEEP

      12288:I13jViY02vmO1oiRFr2vFrajw5Gc/kqO:QiY0+mOjErC2xcqO

    Score
    10/10
    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks