General
-
Target
daaf1ca21512cee5057a968d0fcf74b2e52db6d7d1f1f275d814d94f53bd5bdaN.exe
-
Size
137KB
-
Sample
240925-kjge3aydlg
-
MD5
705636ad3b9697ee9849e61ddc923f20
-
SHA1
38419c624a6c00c9cff7053ee540adb0dfec4528
-
SHA256
daaf1ca21512cee5057a968d0fcf74b2e52db6d7d1f1f275d814d94f53bd5bda
-
SHA512
5f5f0c0182948180d831fb1d48fd7fdea632dad658f8f86a8e2dcf73b755f92e0d9f4f3c19953528b8eebcafaef8b097e77d2ccad0f1c89e162e8708bb4f3f04
-
SSDEEP
3072:xR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuX:c25GgFny61mraZ
Malware Config
Targets
-
-
Target
daaf1ca21512cee5057a968d0fcf74b2e52db6d7d1f1f275d814d94f53bd5bdaN.exe
-
Size
137KB
-
MD5
705636ad3b9697ee9849e61ddc923f20
-
SHA1
38419c624a6c00c9cff7053ee540adb0dfec4528
-
SHA256
daaf1ca21512cee5057a968d0fcf74b2e52db6d7d1f1f275d814d94f53bd5bda
-
SHA512
5f5f0c0182948180d831fb1d48fd7fdea632dad658f8f86a8e2dcf73b755f92e0d9f4f3c19953528b8eebcafaef8b097e77d2ccad0f1c89e162e8708bb4f3f04
-
SSDEEP
3072:xR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuX:c25GgFny61mraZ
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Port Monitors
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
-
Sets service image path in registry
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Port Monitors
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Port Monitors
1Registry Run Keys / Startup Folder
1