General

  • Target

    668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba

  • Size

    5.6MB

  • Sample

    231224-hlrmpshhgk

  • MD5

    0a33a1bfd046c651c8c91edb3d7b972c

  • SHA1

    fe93b5f6242be4e5b89c5e2dcd46640b456cd71d

  • SHA256

    668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba

  • SHA512

    5be38c53d2471c19c15aa1212839cd8bafcf42796977ea7f27daebf9a840af0dcfcdc20b244bf85902d6365d1eed52f8efff0c04cd389bf1a570b6d007d49ad6

  • SSDEEP

    98304:GBGw4JTYdg7szAofgIlGE4JmUwMDeQo9vCRxNwimxt2Nv6GAsF7EyZ1pjZBZYZZ0:GBGw4JmqcxgiGE4JiMqF6DChU6AvfjBf

Malware Config

Targets

    • Target

      668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba

    • Size

      5.6MB

    • MD5

      0a33a1bfd046c651c8c91edb3d7b972c

    • SHA1

      fe93b5f6242be4e5b89c5e2dcd46640b456cd71d

    • SHA256

      668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba

    • SHA512

      5be38c53d2471c19c15aa1212839cd8bafcf42796977ea7f27daebf9a840af0dcfcdc20b244bf85902d6365d1eed52f8efff0c04cd389bf1a570b6d007d49ad6

    • SSDEEP

      98304:GBGw4JTYdg7szAofgIlGE4JmUwMDeQo9vCRxNwimxt2Nv6GAsF7EyZ1pjZBZYZZ0:GBGw4JmqcxgiGE4JiMqF6DChU6AvfjBf

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks