General
-
Target
c64c8d47a0699809f97cdd8f3d9e4449d52bff0eb013d4d44d09b32b54177e36
-
Size
5.6MB
-
Sample
240625-xp4h1axbmd
-
MD5
1a41b3ba2b280071d3f82162f0d13e76
-
SHA1
3427b33f7d99f1291a2a30d4eae998b8883f257c
-
SHA256
c64c8d47a0699809f97cdd8f3d9e4449d52bff0eb013d4d44d09b32b54177e36
-
SHA512
1cacf0d09bc130923d6608787613f4971029df1a088419c129478e954f67f7204002eef5530686d07db40def674ac15a0fb6e601f2941221cf7c9a9e83aaa49f
-
SSDEEP
98304:Cws2ANnKXOaeOgmhuitV0BPRbjbLgCRi7OnYZ0bYy7qUI1eV5QQkBSlUbsPLUoJ8:YKXbeO7XtWBRnRpYyb7uv18kBSGbsr
Static task
static1
Behavioral task
behavioral1
Sample
c64c8d47a0699809f97cdd8f3d9e4449d52bff0eb013d4d44d09b32b54177e36.exe
Resource
win7-20231129-en
Malware Config
Targets
-
-
Target
c64c8d47a0699809f97cdd8f3d9e4449d52bff0eb013d4d44d09b32b54177e36
-
Size
5.6MB
-
MD5
1a41b3ba2b280071d3f82162f0d13e76
-
SHA1
3427b33f7d99f1291a2a30d4eae998b8883f257c
-
SHA256
c64c8d47a0699809f97cdd8f3d9e4449d52bff0eb013d4d44d09b32b54177e36
-
SHA512
1cacf0d09bc130923d6608787613f4971029df1a088419c129478e954f67f7204002eef5530686d07db40def674ac15a0fb6e601f2941221cf7c9a9e83aaa49f
-
SSDEEP
98304:Cws2ANnKXOaeOgmhuitV0BPRbjbLgCRi7OnYZ0bYy7qUI1eV5QQkBSlUbsPLUoJ8:YKXbeO7XtWBRnRpYyb7uv18kBSGbsr
-
Gh0st RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Drops file in Drivers directory
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1