Overview

overview

10

Static

static

3

1caf02f400...72.exe

windows7-x64

10

1caf02f400...72.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1caf02f40057db3c21b0d0a69265a3eba23f9581091bbc3a581b0ed964c1a072

  • Size

    5.5MB

  • Sample

    240524-dj82raah3w

  • MD5

    55dae4a8fe92a740d96600292eaa8e02

  • SHA1

    de9df7080e7544e82a6d4e75e4a5b683ced264ff

  • SHA256

    1caf02f40057db3c21b0d0a69265a3eba23f9581091bbc3a581b0ed964c1a072

  • SHA512

    bb28ef8763b897796e51693caabd08491b47dcf02c8b1721c07c0e77c29315a491ce626d98c8dc61ef6c2879c2ec773c87af12bb3754e0074a9157564c529d48

  • SSDEEP

    98304:y2SVMD8qnlEwmrf1LLwfQmaHMFykCHdyFmXBSimMWt86dPLifj4GTMQ:CAnlETrfZwGHCGHdfXB0zxzifs0V

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Targets

    • Target

      1caf02f40057db3c21b0d0a69265a3eba23f9581091bbc3a581b0ed964c1a072

    • Size

      5.5MB

    • MD5

      55dae4a8fe92a740d96600292eaa8e02

    • SHA1

      de9df7080e7544e82a6d4e75e4a5b683ced264ff

    • SHA256

      1caf02f40057db3c21b0d0a69265a3eba23f9581091bbc3a581b0ed964c1a072

    • SHA512

      bb28ef8763b897796e51693caabd08491b47dcf02c8b1721c07c0e77c29315a491ce626d98c8dc61ef6c2879c2ec773c87af12bb3754e0074a9157564c529d48

    • SSDEEP

      98304:y2SVMD8qnlEwmrf1LLwfQmaHMFykCHdyFmXBSimMWt86dPLifj4GTMQ:CAnlETrfZwGHCGHdfXB0zxzifs0V

    Score
    10/10
    gh0stratpersistenceratdiscovery

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Sets DLL path for service in the registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks