General

  • Target

    0a3c41297dbb36812959c585af7cc899470ab59cdf07369f6a513eb76182a986

  • Size

    1.2MB

  • Sample

    240524-d36ezabe76

  • MD5

    38b822d2f0a1f91e92a385b57afcee86

  • SHA1

    c2183422e696a4f27b6b72489fe3ef0650846bd5

  • SHA256

    0a3c41297dbb36812959c585af7cc899470ab59cdf07369f6a513eb76182a986

  • SHA512

    1dcb8e7e228cfc30b29a483a5aa32438eb2f3d88b79fdbd6259993c53ebcdd4d1bf796453e9af43d49afb85af82198439c61298a83c4b9d6555f14bba090b71f

  • SSDEEP

    24576:tYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnLyzcjzV/EI:tYREXSVMDi3zjzlEI

Malware Config

Targets

    • Target

      0a3c41297dbb36812959c585af7cc899470ab59cdf07369f6a513eb76182a986

    • Size

      1.2MB

    • MD5

      38b822d2f0a1f91e92a385b57afcee86

    • SHA1

      c2183422e696a4f27b6b72489fe3ef0650846bd5

    • SHA256

      0a3c41297dbb36812959c585af7cc899470ab59cdf07369f6a513eb76182a986

    • SHA512

      1dcb8e7e228cfc30b29a483a5aa32438eb2f3d88b79fdbd6259993c53ebcdd4d1bf796453e9af43d49afb85af82198439c61298a83c4b9d6555f14bba090b71f

    • SSDEEP

      24576:tYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnLyzcjzV/EI:tYREXSVMDi3zjzlEI

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Sets DLL path for service in the registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks