General
-
Target
MALZ6.zip
-
Size
17.8MB
-
Sample
241207-xc951stkfr
-
MD5
5ad5a10e0ae8eeb1bb6817c9d0cd960e
-
SHA1
ecb3ffcf79aedfa3c35c2dab0b4f5ca0f872b62c
-
SHA256
c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099
-
SHA512
05b6ee99e6843d928255daded5a699231c25275b726f68be2b67c6bfc59305bc2b2ad5ae6ab11e70ce975a3ad10e7acbb520601728d9e4b255b7891263828cdd
-
SSDEEP
393216:P7tKCblX9nuQNeyIvnpDDsIT0vyirPw9yesWcnE1zoQrq8:c6hVeyQpvsIgvyirPiKWcnkUr8
Malware Config
Targets
-
-
Target
UDP.exe
-
Size
31KB
-
MD5
161f6beec09cd33d710f8f97365ee6f6
-
SHA1
9c408d1b53a1d03e8c7a3f85e050870f3d9a741f
-
SHA256
f73a89b6a5c42d21ee4f7a4d79ad784cdfd896bbe2453b60cf9688786f7a9d98
-
SHA512
e9f2afd6ad8216fa0f34cca29ba4d8753a03b187f4e9c29a0607e9b2ad932b788cb9a75db54df0db522e2a20d54a12992ed2396f40f06ab8cd76a89bcbf1e6be
-
SSDEEP
384:+ubvs5ed2wcTZr5bDDOp61lpHwdkJAqJDPHYM:hshb9r5b3Op8lVbJTJwM
Score3/10 -
-
-
Target
a
-
Size
1.3MB
-
MD5
84839072ae06ae3e47d93f3b79067305
-
SHA1
eb578777ca88dcaa72cb9b22720618b2e3aa770f
-
SHA256
dd77459b8d76d9be75dde3f2aa8e8434b266bc98acd15966c6ae65a6620b10db
-
SHA512
3b004be47b8aef3ce9ee821d267ef4e36dfb2a17bdbbf8630f24f119f3ad26c862a79a1e8afafe7e98422479eb58dd8b2ee5c644d3aef84f9bb2eab991f878de
-
SSDEEP
24576:X8BHnVsZc1VZneCEuvLmJ7p9fomAmgAspprQYlGtmgmH1LJSwYS3uJdE0cG/v5FH:YHnVec1VZnezuvLmJrfvAmgAspprVlGR
Score1/10 -
-
-
Target
arm1
-
Size
977KB
-
MD5
cb75be331a7b5cb54bae9db9f4ca643d
-
SHA1
789ccb024361d7a4911dfc77bf1c93442491c3c9
-
SHA256
8366aea8087a354cbd178f920770b35d785f988ec3649bb7e282d1e3272a6b77
-
SHA512
d16e503bb8434c324976747b9f90092fafdaafcc877c588b18c8d1c14c9d813552389dea496a1b2cacaea4e2ebfdec6a630c68e44c645d1a25da9076e6f4c32f
-
SSDEEP
12288:erXiRPpwBSHJB2A6f13P5D79dmuxlNzJs4dm3yxiD1WjfGAIFDFvyq766Pd8YTQ0:jvwlP5DJdrRJsskWU5RPdg2ByWwK3R
Score1/10 -
-
-
Target
bj.exe
-
Size
378KB
-
MD5
a770ebf2e59e29c7460a01241a0a493f
-
SHA1
97e59e483e1fa524a305828157a50203e918ada9
-
SHA256
ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
-
SHA512
4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
-
SSDEEP
6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
bjyk.exe
-
Size
378KB
-
MD5
a770ebf2e59e29c7460a01241a0a493f
-
SHA1
97e59e483e1fa524a305828157a50203e918ada9
-
SHA256
ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
-
SHA512
4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
-
SSDEEP
6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
cctv.exe
-
Size
221KB
-
MD5
dc655daf16748469712aa1d26336e087
-
SHA1
ad9df22536f9913229849d8ac7b3baff93529d71
-
SHA256
744d37a30b3e0085b55fb62c9f226a4fd42a2545bd246105ba5e99c8fbfe1011
-
SHA512
0e2c839ce3d7bcf3ea2766e07970b5c5fb77f8909d1f70225b2c075faced3f130e1a37104d6ecd17a8fa00e3303d90a46d0c296b22bac3e2762ae30f315c3e46
-
SSDEEP
6144:jzu6Kqcii29Z/3sXnr1eEKNTVCDk0PVLOgE:jp7i2wbJ0Vc/JE
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
-
-
Target
cctv_2.exe
-
Size
48KB
-
MD5
e0a1361af24cc075e0cfb9e6a6a09cd3
-
SHA1
6b81a0773fd5a5f588302ef2231d2461544868aa
-
SHA256
71ef7e43615e286a5d424d2bafca90c03b05a1c216f1b3ac81997ee2d6bda8d7
-
SHA512
70815a447784599b423a4a4fb0c9d6821dd95244af8dd529ac51afa8d644ee16658cce748501b5f3283eec75ea1c967b225fb5400813f8fa5dc0c2dbe4de2401
-
SSDEEP
768:g+jOttjAoHTtNErVhg4xz8Jgo4KR3py9ma1Qxxbr:PiAgT0rVfF8JB4KR5omamx
Score10/10-
Modifies firewall policy service
-
-
-
Target
cn.exe
-
Size
520KB
-
MD5
2033a6d7d02690c31fa53d8717fc7ffb
-
SHA1
5ff0fb65c1322fba3f30a325097bd140ac9f508e
-
SHA256
5b81c2781d2c953f46fa7fdd815a31eebdaf8d402ab96457814cdf87583eaf1d
-
SHA512
8ec8cd260a54d138145ce1a2591ab3768f535518f7ea75967f5e7d89a1569a8ff4cdb33c85fb2fb31497e27aaf2a661c11fd7702fee73a0fa4652ed146d136c3
-
SSDEEP
12288:H8D0Pn8yQAOWqNujygoH8qCTxQSza+bqHKNci1/9aa:H8D0/JO/ujy9yTxDza3q2i1/9f
Score7/10-
Executes dropped EXE
-
-
-
Target
cn1.exe
-
Size
196KB
-
MD5
0731b597e61c2fd74577239fc53c794b
-
SHA1
85bf7df302e1e4e096ad8d385cac2ef004457ba9
-
SHA256
fe23577d1480bedcd63037921bbd5a55e86171c1a7dc97667df6a674ca0044fc
-
SHA512
6bf34bd045020a852dc2553869f67c30d13857c9fb228ae966fd2f794f607f7157933a4772c9e13e19c85bfec1f585d6e350cbcafb58c624f0aade78085664f4
-
SSDEEP
3072:zwSn0zvOvtYzwnqSioDXx4uE9w2qbMUeZPorQ/4/464Is9Um:U00zvOvtgSiod4uYzqAvZ1/w46Iym
Score3/10 -
-
-
Target
dhl.exe
-
Size
378KB
-
MD5
a770ebf2e59e29c7460a01241a0a493f
-
SHA1
97e59e483e1fa524a305828157a50203e918ada9
-
SHA256
ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
-
SHA512
4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
-
SSDEEP
6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
java
-
Size
1.5MB
-
MD5
e2be8944ce24abb4c0ed6858eb8d6157
-
SHA1
a9511dd764080aa0437fb586f2babd1c18214a6a
-
SHA256
59755333ce8c0e16e45340984a22a50f4cb6cb92f8fb85e452dfbec7596a4859
-
SHA512
815bed537eede7461d03b9ffab84b3f77ac43f3d5e47284b4c8a5052ab2eb82bc1563ab7375e3928dfb4a4179096d429143423bd780f2e037ec29ae8a4fee17a
-
SSDEEP
24576:hNJp/2SkgT4KUAopmhDO2Aan9XgnU6tZAf4Nzbm6g+qF2SdYOrhGB+bL+cH8y6LL:hNvOx/Vp/2bn9XgnNtmf28rhObccIwhL
Score1/10 -
-
-
Target
java (2)
-
Size
41KB
-
MD5
29096b156ac5bbd5bf44448d4c92f47a
-
SHA1
fec10cfed79d87d6d6867867f8730ffa39be31c9
-
SHA256
18b0893f3b143a70dc60b0d4da10b63f5fd172fedb63b857b281e0c19a0b0dbe
-
SHA512
f0f5d259b4d57e8361ea1d8bde69fa1eef6bd3a7614761b3d157a228f71bbf40ea1a2ab8edaa4760a332f6d7ff5404374cc11a437f57eee613eec4cf7b145380
-
SSDEEP
768:onP9R7JLjULRm7oKYNEfOVmXVtje7heNcfb+QuKfUGH4k53:69D3cD6WcFtC7h5CQXUGYk53
Score1/10 -
-
-
Target
java1
-
Size
1.5MB
-
MD5
b94d195896ac0aa647a2334f74e1aa73
-
SHA1
58792006cd89f0689a2eb4766af298305954c653
-
SHA256
fc10540c1effe99bdd7a9e1025bdda6813f5dbbdb6e89acdbf79df443a5bba49
-
SHA512
1d4f0427d6ffc456afa34e5edb1742a238866106a3cdbfa7866692aadd4810114f53111671d2fecbe396cf42f590f6beee29afee74893eb33bb0854ef78a3ef1
-
SSDEEP
24576:hNJp/2SkgT4KUAopmhDO2Aan9XgnU6tZAf4Nzbm6g+qF2SdYOrhGz+bL+cH8y6LL:hNvOx/Vp/2bn9XgnNtmf28rh0bccIwhL
Score1/10 -
-
-
Target
k5.exe
-
Size
76KB
-
MD5
145c9edca1151d477e5c339b6d797cbd
-
SHA1
f09d773d50f87c47500305e79bc1e6fcf503ebd6
-
SHA256
ed989d9d7e04a312dffe2fdd8dd30273d5b07ee56941f1a724b6143752ef42da
-
SHA512
10f5d6cacbbc96fa22c097f5b519fe1738a5531820518af00cedf8ca9112808bc2c2871845f85f496a1d08695441262ab3ed57068e6d029ec1e5aabdb32d47df
-
SSDEEP
1536:bcPk2vG+Yq6GrXdOOq52m0HLxEulgsteEY+cZv8FYOicNx1q/6:v2vGM6GLdu52hHL6ulgsteEY+cZ90Nx1
Score10/10-
Modifies firewall policy service
-
Modifies RDP port number used by Windows
-
Executes dropped EXE
-
-
-
Target
ly1
-
Size
745KB
-
MD5
7878dedc8f99659f1e0bd43a8b20b25f
-
SHA1
968c61c19237efad875fb5da9ef468303fd18500
-
SHA256
fe686bb110b6af61f109de5b71239bb76ea75e0588ece3a0570393f310eb1026
-
SHA512
dd71e1da4bc6f82bd03110431e22fbed130b10c27ae16bf3d8c6760c0b11c5486dc475ba98cd0d35192bedf5bba836424d41289ba25c678bca8a636c117b7b0c
-
SSDEEP
6144:UTOzkT3puxmMmp9HovF3VBkFuPIMM2IutuXie+w7EQEtXqdTqBYWXChQyurnbOq3:2jHovzRu1ddTqDnUsIdk0KE43dcTDVSN
Score1/10 -
-
-
Target
mh.exe
-
Size
92KB
-
MD5
990ced068a35be3f8092c491bf2a6dbb
-
SHA1
b9303bd5671d66b7b5520da2a12f7243b05235f4
-
SHA256
22e44f753597c056b7b1eba9728043e7e6dbdf94f0f66f06e6bdd1fdba096fb2
-
SHA512
28ee629fc56a204f2e40f6f1c42e45dd142800ea07277d8d89f3d7522fbe290d32240668543e679b6e40e6d68b2f9a65cd6bf6168a4d9a79859e49df2ae5f48e
-
SSDEEP
1536:oPoRMUAPWbUFADNjKxoxQhy45mXKhpwvv2Uj281XQoYYqA:oP4ZSbENer5Toz6qXQ3
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
Executes dropped EXE
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
mips
-
Size
1.1MB
-
MD5
a883bae381125e862c109af67b3cfda4
-
SHA1
852f169460932eb49c13fb6050fcdbafcd354af9
-
SHA256
5d9f4ec734cf44f342a45f7de4ba0e208ec141ce47e32b3bc7d0666eff538fe5
-
SHA512
40a9804c5f900c3370ac856172c496347faec0187489c9e5d496923dc27f7b2138bfa2c43550acab44fb331ced5e2993fe84ff737f87275fbb74a4eb7b502738
-
SSDEEP
12288:v0gZjw/mGyri7g8Nyllxm+KYCy1aPrfWf47b/d+qdeaQklaHhmM7tL+GSPlXJZra:VETLPAFHcMJ6l5ZZVtGAi3YKhAxtK
Score1/10 -
-
-
Target
pjhxx
-
Size
544KB
-
MD5
c819b1705f2938ac258397c29618fceb
-
SHA1
f6079e473b0f937e3dd6a8f9b76549925ca32f60
-
SHA256
609a5f0e44f1723d29f258c4459a532b75c9c1b2bd26607384d17352150dd3a6
-
SHA512
70b564bcd85289e3a7f00d98b3f587db8255ea1eca7938988f1f6c6673214e50de8c0e3ecb8d554d32bd5489d758c45fe4901d462c0f013ef28b8676bcd8f53b
-
SSDEEP
12288:yCAn8AR1vaStp/35mnngohox5aczgLXKJFV+61m0nwyhes/tB:yCa8ARRfmnnphS5aczgzKJFVhtwyhD
Score1/10 -
-
-
Target
rootkit
-
Size
357KB
-
MD5
80b21dcc410fcd97098e8b804ba1dd27
-
SHA1
8eab144db8af9bfb3c633b373489c6799f2ad5cf
-
SHA256
548d1e891b2837e28c6e495fd1e5788ab650d169c53ade1f0cadf005d8657316
-
SHA512
7f8a5335a0b37bf760825c00fb0b685f85bebed212533c725748e3cafd8f4e79fa09e1b152bb7612ee1091bed49f35aa728a5f42e775bc80788535c16e34a60d
-
SSDEEP
6144:4LZVne1+4AtZTefDUuipumMP+tjwPn2OFfRA/7pmuxEkV3ufBrCkRNcl4/YGA/u:4dVne09J8UbpumMP+tjwPn22pAjN3ufv
Score1/10 -
-
-
Target
se.exe
-
Size
96KB
-
MD5
b7b347f1aebf2ef10369faf14e0bb2fb
-
SHA1
258e9a1ec916d66b510849192fba6c05fdcdaec7
-
SHA256
589b185221797c8dc67bc586f8c2e3c463a06771e53744afa082c04be7fe5763
-
SHA512
4baa49881edb3dea09d6ba8a71cbbcfc597a94657ef2265a5bffb38d2d481579e4215c5674360d490bd3a2913017b606c7e14564db64f645d910e809271b44d3
-
SSDEEP
1536:GRtxXnig5/VUJyWryEXe8T1g6hypxc/lkJ5jj1fV8cGDmtY:GhN5/VmbTC6hyQ/OJRj1V8cGCtY
Score7/10-
Executes dropped EXE
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
-
-
Target
server.exe
-
Size
378KB
-
MD5
a770ebf2e59e29c7460a01241a0a493f
-
SHA1
97e59e483e1fa524a305828157a50203e918ada9
-
SHA256
ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
-
SHA512
4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
-
SSDEEP
6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
smss.exe
-
Size
260KB
-
MD5
27fe3482f2f12435310a3c84544f4f0b
-
SHA1
dcef2cd3c551bf22b748556d7cdcd439a6cc5274
-
SHA256
20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75
-
SHA512
2324d9e10f410c3573d99dcdf3daf0960965e0e09a5134d21ad25e9cf6d0f91919e38cf37513b27baa25c3ade79825096dd88c50dfa5ddb82ff8ed36c32b2c48
-
SSDEEP
6144:AVx3d4gxU0UqWTYFa6u+CaTy8ZcILWlxwbtEW3kT4:An3S90y8aX+/RciixwbtkT
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
sqlrer
-
Size
1.5MB
-
MD5
b324fddf10dc3f02d54dc5a4a9905c47
-
SHA1
74b1e753d096e7a30102a94007f9b1a328837fa8
-
SHA256
fb678d38d8b75262a123a71f5568ed872ecd92a2e3fa38cdf7a8b22031f982db
-
SHA512
b8005ebdd218133f6c4b2807c98e0e5310bd08e244527d291cacd47184da903b4e1ebd6196b8da7919e1c00ff4ad3cdbfc9bf8be75d451afb4032aea987004ca
-
SSDEEP
24576:hNJp/2SkgT4KUAopmhDO2Aan9XgnU6tZAf4Nzbm6g+qF2SdYOrhG6+bL+cH8y6LL:hNvOx/Vp/2bn9XgnNtmf28rhRbccIwhL
Score1/10 -
-
-
Target
squld
-
Size
1.1MB
-
MD5
368c8cbc67d3ce1ff7d2735cfe84f670
-
SHA1
f66ab3403c34e4c5d4202b9f93098e77e30df653
-
SHA256
0d84c93d895c48a00aacf0dbc0565ebde3ab720badf5eff0d85c43aa29027835
-
SHA512
450dbab685b5a274224db793e8b2587c5468a77f464badea4b5dc12548eda8af88a333e08bfa65bcec77d6fe106b86675b0400f8bcadcc6df02638db9025598d
-
SSDEEP
24576:4vRE7caCfKGPqVEDNLFxKsfaqI+gIGYuuCol7r:4vREKfPqVE5jKsfaqRHGVo7r
Score1/10 -
-
-
Target
ssh.sh
-
Size
747B
-
MD5
5e3c944adaad38594a1f3f6fe3e3268f
-
SHA1
b6c8fffead670eac332c60836c1a88760261dabc
-
SHA256
af0e78daa3ef5fec5084820ef80c12f88a2779b9c1ae3f57dda7fc93e033715f
-
SHA512
23994c04f7c2b79e0aad2512554aebbea41bffec06e9642e3e2070fc630a55b6ce62892e63255de0a1002a41912cfdf88a65a1420e87f985a94b913f59e5a439
Score3/10 -
-
-
Target
taskmgr.exe
-
Size
288KB
-
MD5
bc59e8a47d288a3411399884af9ed624
-
SHA1
f3abc633afb3b1a8d1439499e05a507f9899df73
-
SHA256
554c68f17fb687c3941f0cc2b141e25541d1ce66e47ad512d7cfd80f3ea5c026
-
SHA512
03aeb3e64f78e6df60e32bedf5a50408708ab562e55ec92221a92290e1599ff527a2a8bdac0b043b2c97fa8507f7c57f21db4b4f9acd87a313384a4f5422bc01
-
SSDEEP
6144:5gZNATdYlG4AnjhEkgS1bW4+QZbOQUhFS+W9RPNuULSWlJZg:5gZNodYlG4qEk1dYhFSbDNP14
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
win.exe
-
Size
133KB
-
MD5
745397b18fccf1d75f5a0ba6c0f5f268
-
SHA1
82ae742f32707d70fb7ef40821ccdac2989cab60
-
SHA256
9754217d0fdfb2e06982be84ea1a13dc29ad50a2c5bfd33ae5a14de1fd9568c6
-
SHA512
31dea28e08d42095391c936b4d3b7a89bdcddac2a332517712ff49771504e459535b9391ee23012595250b9ea0359e83e9ca027bc039a735cb3fb0f043b8dd50
-
SSDEEP
3072:luju5gwYsAp6wXhZIStIyyzdxu3N6Rnl2PO:luj1wYXUwEAyxqN6Rnl2G
Score10/10-
Modifies firewall policy service
-
UAC bypass
-
Windows security bypass
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
-
-
Target
wm
-
Size
8KB
-
MD5
45b2c35b3655e5f8c2ce5bfb6641b91c
-
SHA1
ec29095588f75ab201beb83100f78c1ded66f818
-
SHA256
45d821a50bb23a092cf136fd79f151abef502f8735ec80d6118b769f98d4326e
-
SHA512
7008075a751b093c3c5712869aa67671bbc0803b5ae119ef6079bdf477c05cd1c9c172d52ecd01809ed52f522daab9f504f1f298d0a1b3c8a97d013fa6926da0
-
SSDEEP
96:3aRM8+Nz5NgSCENafR5JzDL0BQXmw9vxcSYy653LgyS8fbI59IT:3a2ZNzCDLqDwN1YyyOp/IT
Score4/10 -
-
-
Target
wrt1
-
Size
1.1MB
-
MD5
d745749640359f5c5461b893d8865fd8
-
SHA1
74c667c6252142393c7bf21f8d23d3dabcd97236
-
SHA256
f309a43e4c8ea82cb5569a9656640e4501a3c0700c1352adb9f788dcef4f2ae1
-
SHA512
1d86014f318a945eb5e105c7fcaee4d62e0ff83357b67c3f2ee734f8ceb0045f2e8230d4007427b74254375a87f8a0725ad445c876e9fd5c8f49de3b4bf1c0f1
-
SSDEEP
24576:qsFkPsgRseqq7s7L23vHkF/CZ5lfwNjcpzdmMqMSjG2oedCp/mpyS1lFhextK:leLsL23vEF/CZ5lfwNjcpzdmMqMSjG2d
Score1/10 -
-
-
Target
xm.exe
-
Size
38KB
-
MD5
b16999f6fc3826ef598b459a2b8731ce
-
SHA1
d24402ff822c4e7d1606f96bd3bdab0ece841474
-
SHA256
d28b2cbecf6d771d85551b357b72c9aa939a57fdc74aee1ebc63ba334ed1e7df
-
SHA512
79afff783ae58c410f5a92f09a4488b29dec8424b06b8e1780741ec834202faca0eba6e4d51350866a74f6060a6f593a4c1d9a8fc554ef0858deb46df1952c98
-
SSDEEP
768:sjCSpftPzWIYHqfwyV0vsYRvNxLSywUlcVYeXSiaMHX3ZL+yd0ZgrvZQ:s+SLiIasV0vztNxCUlcVjXaMHX3M0W
Score10/10-
Modifies firewall policy service
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
yk.exe
-
Size
378KB
-
MD5
a770ebf2e59e29c7460a01241a0a493f
-
SHA1
97e59e483e1fa524a305828157a50203e918ada9
-
SHA256
ca89debe5dff34c2e2f56875d7dcde5e47565329d3aeb2f2f4a6a3e2248fe664
-
SHA512
4cf99a862fc6e2299e33113bb757dd31a0543c5b5716146de2051fbabe86a122e895a8ced9d4f2290ae82dd9f6093dc883abcb2a6747caa90e8fd46e061f6140
-
SSDEEP
6144:WsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90wRudOl1YTSgux1p2iPtGZ5da:btWUzJq8YPbncT3+bRHfYTSgS21NPE+S
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
yk1.exe
-
Size
184KB
-
MD5
76eb54ffd5a2a2e161b45a9b4e24b71b
-
SHA1
4031978e9de0805858233e45b9109c376dce1db1
-
SHA256
5ecc331e0704bb6756aaacc19bd3d356d9c6851819c18df5be8ef76ba46cde95
-
SHA512
119807cddeb634de800d82fa7eae3d11a40bf2732bac8e6a3a31c14600dee1abcdb945fbb5349895b945120c70a5e4fa9629c26f33cc5972ad0449489ef569d1
-
SSDEEP
3072:9BFDC2a8kkalMLmNTMeN1vT72dPxIhf+sHS5LTblIdp4nNtmPvqgl:9/inHlN1vTyTIBVHkTblIGUSgl
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
Executes dropped EXE
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Registry
6