Overview

overview

10

Static

static

3

ca4f214861...1N.dll

windows7-x64

8

ca4f214861...1N.dll

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    ca4f21486195522b02a85e8ca4a152e10fdf780f458515f53ee64e56ff70f691N

  • Size

    137KB

  • Sample

    241010-peq6xs1cqp

  • MD5

    598cfaff95b2015d64220069a508ca10

  • SHA1

    e16a7361a9d6741ff257481d795b31e116d53f0e

  • SHA256

    ca4f21486195522b02a85e8ca4a152e10fdf780f458515f53ee64e56ff70f691

  • SHA512

    d8687ec26d401302fe7a82e2b2cad8cb070051bfe01a777a5a2f88713ba288babeca8a7c60733eef7feb94189813b6848593c2dbd4c7b1283968d3f6ada406cf

  • SSDEEP

    3072:YR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuU:N25GgFny61mrai

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Targets

    • Target

      ca4f21486195522b02a85e8ca4a152e10fdf780f458515f53ee64e56ff70f691N

    • Size

      137KB

    • MD5

      598cfaff95b2015d64220069a508ca10

    • SHA1

      e16a7361a9d6741ff257481d795b31e116d53f0e

    • SHA256

      ca4f21486195522b02a85e8ca4a152e10fdf780f458515f53ee64e56ff70f691

    • SHA512

      d8687ec26d401302fe7a82e2b2cad8cb070051bfe01a777a5a2f88713ba288babeca8a7c60733eef7feb94189813b6848593c2dbd4c7b1283968d3f6ada406cf

    • SSDEEP

      3072:YR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuU:N25GgFny61mrai

    Score
    10/10
    discoverypersistencegh0stratrat

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • Blocklisted process makes network request

    • Boot or Logon Autostart Execution: Port Monitors

      Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

      persistence

    • Sets service image path in registry

      persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks