General
-
Target
GhostTool.rar
-
Size
5.8MB
-
Sample
240603-ltk2nsae5w
-
MD5
b8454b673578bae275d378f96d9a6076
-
SHA1
3c926271c5f123d0670cea6fa7e30fe903a042eb
-
SHA256
e68164cc9a767cb7df4e1940979ebbb467b309568a15a80b764ef0b5aeab51aa
-
SHA512
b00519dc090aea4bf963021e1033e1f76758dcf6dde4281985bf29f404a744c71a9b4b25c432b7fbbd70e174fe6f86770de6253519641f389eada33ef8743b54
-
SSDEEP
98304:C6hABVrTP8yfuRR8wrGOrcJlVPwCrkcfBDejOdixnYcIZOP5Yx7cgMOCks63pw7b:lAB5TP8wgZC1rDfBCyixnYcYOgMCsewn
Behavioral task
behavioral1
Sample
GhostTool.exe
Resource
win7-20240221-en
Malware Config
Targets
-
-
Target
GhostTool.exe
-
Size
6.0MB
-
MD5
85a602e57bde1f6cd9387152ac3c71ae
-
SHA1
ba75ccf3f63ad86fc6d1ba023dee2bcc46772341
-
SHA256
eac15fe358f7ecafac66dd36340ff8c6e2902fb0601eeef8b69b8b08cdaad243
-
SHA512
364dd3902ff76dba81378e1d442bc233a64f93c42232bd1ece81349fc5025f1e43a52b748de05f28b0436cb19afc2642b5047536b0fe1fd36de6e393abae2bc4
-
SSDEEP
98304:gr2/EtdFBGLUamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RZOuAKO7uyGyf:gr2OFE5eN/FJMIDJf0gsAGK4RsuAKOd5
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-