General

  • Target

    43ce73a6aace46a5192d662cc1f9525de4b215d42d005fc8cd3e4f1fd7f5e194

  • Size

    11.5MB

  • Sample

    240422-tq9vmade2y

  • MD5

    45667cc2d9508fa3ee355a99024c9d77

  • SHA1

    6a77f435ecd17388912c6ce367f339ddb86d42a3

  • SHA256

    43ce73a6aace46a5192d662cc1f9525de4b215d42d005fc8cd3e4f1fd7f5e194

  • SHA512

    b580f6ac366ad0e23ec1429a3696f8186c58037ee374a656dfee3debe5b797b796603b965c773e779e90854b2a43769c10af033907bd92e4c9215de80b71f1dd

  • SSDEEP

    196608:YhiaLKIz3NB4tf8tNSPFOGJFACQM6rw3FinnaL:ohLSP+frfne

Malware Config

Targets

    • Target

      43ce73a6aace46a5192d662cc1f9525de4b215d42d005fc8cd3e4f1fd7f5e194

    • Size

      11.5MB

    • MD5

      45667cc2d9508fa3ee355a99024c9d77

    • SHA1

      6a77f435ecd17388912c6ce367f339ddb86d42a3

    • SHA256

      43ce73a6aace46a5192d662cc1f9525de4b215d42d005fc8cd3e4f1fd7f5e194

    • SHA512

      b580f6ac366ad0e23ec1429a3696f8186c58037ee374a656dfee3debe5b797b796603b965c773e779e90854b2a43769c10af033907bd92e4c9215de80b71f1dd

    • SSDEEP

      196608:YhiaLKIz3NB4tf8tNSPFOGJFACQM6rw3FinnaL:ohLSP+frfne

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks