General

  • Target

    GhostTool.rar

  • Size

    5.8MB

  • Sample

    240603-ltk2nsae5w

  • MD5

    b8454b673578bae275d378f96d9a6076

  • SHA1

    3c926271c5f123d0670cea6fa7e30fe903a042eb

  • SHA256

    e68164cc9a767cb7df4e1940979ebbb467b309568a15a80b764ef0b5aeab51aa

  • SHA512

    b00519dc090aea4bf963021e1033e1f76758dcf6dde4281985bf29f404a744c71a9b4b25c432b7fbbd70e174fe6f86770de6253519641f389eada33ef8743b54

  • SSDEEP

    98304:C6hABVrTP8yfuRR8wrGOrcJlVPwCrkcfBDejOdixnYcIZOP5Yx7cgMOCks63pw7b:lAB5TP8wgZC1rDfBCyixnYcYOgMCsewn

Malware Config

Targets

    • Target

      GhostTool.exe

    • Size

      6.0MB

    • MD5

      85a602e57bde1f6cd9387152ac3c71ae

    • SHA1

      ba75ccf3f63ad86fc6d1ba023dee2bcc46772341

    • SHA256

      eac15fe358f7ecafac66dd36340ff8c6e2902fb0601eeef8b69b8b08cdaad243

    • SHA512

      364dd3902ff76dba81378e1d442bc233a64f93c42232bd1ece81349fc5025f1e43a52b748de05f28b0436cb19afc2642b5047536b0fe1fd36de6e393abae2bc4

    • SSDEEP

      98304:gr2/EtdFBGLUamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RZOuAKO7uyGyf:gr2OFE5eN/FJMIDJf0gsAGK4RsuAKOd5

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks