Resubmissions

General

  • Target

    csrss.exe

  • Size

    300.4MB

  • Sample

    240604-1vwxwsdf68

  • MD5

    3b8cc0be536ce3af083852089f3f668f

  • SHA1

    a858dc0ee6fc8f6026a186c637331fded22e56a7

  • SHA256

    d2c04698e0f237d4d66fc4e6be0c4b8f6c8fd156f237352e0d30f4b72474b714

  • SHA512

    27f758f026b1cb4e475d1e1fc32abccd753eb375e07bfc4c54287ecf84792a7997ee6b90d372260fe8ab52e8813e82023e48f03440cce3a7a06a05e3e30b2815

  • SSDEEP

    12288:kmRuu+l5X3XK709xYnN862P98FJn5vQM:ko+l5X3XK03YN8HkwM

Score
10/10

Malware Config

Targets

    • Target

      csrss.exe

    • Size

      300.4MB

    • MD5

      3b8cc0be536ce3af083852089f3f668f

    • SHA1

      a858dc0ee6fc8f6026a186c637331fded22e56a7

    • SHA256

      d2c04698e0f237d4d66fc4e6be0c4b8f6c8fd156f237352e0d30f4b72474b714

    • SHA512

      27f758f026b1cb4e475d1e1fc32abccd753eb375e07bfc4c54287ecf84792a7997ee6b90d372260fe8ab52e8813e82023e48f03440cce3a7a06a05e3e30b2815

    • SSDEEP

      12288:kmRuu+l5X3XK709xYnN862P98FJn5vQM:ko+l5X3XK03YN8HkwM

    Score
    10/10
    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks