General
-
Target
19a8d873a5f184d1ed79696e87e2a7bbaf30a093850cab2c6e0e4d15bb2744f5
-
Size
12.5MB
-
Sample
240525-v9s7nacb6z
-
MD5
7c0d680b9af6aee635f73e6934663f5f
-
SHA1
63fe70455e5d5a61154f3043552ff53771b28cb9
-
SHA256
19a8d873a5f184d1ed79696e87e2a7bbaf30a093850cab2c6e0e4d15bb2744f5
-
SHA512
2a5e0cfd7a764f5eb7799469aa12d7ea5d3bb93755da3a621acde4aecb1e0c7d0330f2e97a6b85cb59192f466dd4207e20fca539d93460999f8f12b0a2a410fd
-
SSDEEP
196608:7dS+p4QZqMFGkcNYuwPZ/bpo6kxYKURFqIhmdL1qo:ZS+TtGt0zcmKURFq2m
Malware Config
Targets
-
-
Target
19a8d873a5f184d1ed79696e87e2a7bbaf30a093850cab2c6e0e4d15bb2744f5
-
Size
12.5MB
-
MD5
7c0d680b9af6aee635f73e6934663f5f
-
SHA1
63fe70455e5d5a61154f3043552ff53771b28cb9
-
SHA256
19a8d873a5f184d1ed79696e87e2a7bbaf30a093850cab2c6e0e4d15bb2744f5
-
SHA512
2a5e0cfd7a764f5eb7799469aa12d7ea5d3bb93755da3a621acde4aecb1e0c7d0330f2e97a6b85cb59192f466dd4207e20fca539d93460999f8f12b0a2a410fd
-
SSDEEP
196608:7dS+p4QZqMFGkcNYuwPZ/bpo6kxYKURFqIhmdL1qo:ZS+TtGt0zcmKURFq2m
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Sets DLL path for service in the registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-