General
-
Target
malz5.zip
-
Size
12.1MB
-
Sample
250302-hfdhwsxzcy
-
MD5
1468c1908845ef238f7f196809946288
-
SHA1
62f0bd56b0e1235b99940b34916c19ecfac8e80c
-
SHA256
438e44aae94e8376d2e36e23212920e936b7517bca24eaf66e9d7d014e21552c
-
SHA512
83d65df17c88a4cbc64c6fe4d5e064850aeb3cccba2eb5097d3385f4195e1b94a374528e0a6b92f7ad1db2c78bb7fae3c0e563a2a828f5f8ce0459eccd72b496
-
SSDEEP
196608:NllU8B3ffcP4fQ74RGBP91vnbcMlB4mVgGj/oRPA4CbyrE2C2+QQnr1Gh922bkHy:TtB3HcPEwpBPTvbtVfcq/yzR8Bt2aT8V
Malware Config
Targets
-
-
Target
123.exe
-
Size
60KB
-
MD5
07b3c7c475a0204f34408d806a4d0883
-
SHA1
72da95ef18d46b5ff6f75c90da29d294e8e755cf
-
SHA256
457bf2d5752e50d343a655993e9f308a616f4123c5fbebbc369f12c49bd502b6
-
SHA512
4c57ce6ee744227219cdfdea5e67efe605c62d7ae99233a9b886bdf0144c70f0317be3ba5dd01c097284c3c86e7005165b9d74ef43fcf28d8d5fd34717c0f1c2
-
SSDEEP
768:5blRLS2f/IbhNGgkqUpbj3Pl4SSbUtkokv9N:bBSI/UGg6P326tkokf
Score3/10 -
-
-
Target
2211/SkinH.dll
-
Size
84KB
-
MD5
a00c474dc4ced90b8f5a692108c45dce
-
SHA1
e02722d30a6218523e9ddef287817788a4a9b9fc
-
SHA256
6504e515cbcf89cb98fd9f1a310125bfdf93e1f6a6bf0c64c0229e5670cac9b1
-
SHA512
e81b001379f94fabb71f1d6a019b81202e00da7338048b77d1728b40427689a32801419377d3e86c51c5e418cc3ccc328ee00adc69eaa575267bcaac8f477abd
-
SSDEEP
1536:uVNx6WNnPZ369Z3TCy5KcGhVek8Hvv144SNT7qgG7kQSeQmnouy8U:uVNx6WNnPZK9RTkieJw7uWoutU
Score5/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
2211/update/server.Dat
-
Size
132KB
-
MD5
9eca5d103cd63622b620a93b40c93a78
-
SHA1
717fd615fd990f11eec973210433d7162fc07248
-
SHA256
f5dcf6100e1ca85cff034e7a45eec468921e3d11463475b7f6ae06f39a17f044
-
SHA512
6967d0f36a9d4e7d333a76a0fd4a906850b0959995cebc5392518346533c7398614ee9ec86b4c67bea5bdcdde850fd72760cd7dc7dddc04cfa728badbb0a0b84
-
SSDEEP
3072:vLXLBeBE2nnY83c4LM5y0It1uHSCcXTGc:PgiFIfu3cDL
Score3/10 -
-
-
Target
360sb.exe
-
Size
74KB
-
MD5
ff3638137bdb13438ae78bdb295fb74d
-
SHA1
d1ff58701713d307430fd061592ecea3c1cf4e6b
-
SHA256
61e5303a9e3c3f0b5c70749c4ea2d619f3b5bae341189eaff28393f337113fca
-
SHA512
dc87de3bb1689bea6409c33b2af420f8274d4c36862dfe79b98b2195c72057e76a0222aa3c61a144e6927a0bbe5a3a95afe4df430a342f35ba1c7d5c6fda339f
-
SSDEEP
1536:aunpULRX92uqnsRDwdQW3YBlCOCbZawM:aunyLR0z3QOal/CbowM
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Executes dropped EXE
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
7000.32
-
Size
272KB
-
MD5
1a2ca76f4c05df6ff90be02108f36759
-
SHA1
518ceab47c71ea46625e64d1e342476dfee85985
-
SHA256
5647a07dde1da4334e6a311519ee08ea1ac2fb6ff0841e81a2bd6053b6b59062
-
SHA512
6340ca6862b4e22660748110da46227be889d7718242dcf0f9df9ecdce9bef5b9ff66b5bef0437813a73355ca1344408dd92c703ace821036578921f1c06c2e8
-
SSDEEP
6144:+1FJI4kHXz3ghDymssoxTAbDcG3kj9M5apyFMMX:+1/0Gu7saocG0j9M5kMX
Score3/10 -
-
-
Target
7000.64
-
Size
710KB
-
MD5
d80e1546a194e42f049b1a15287aa4d6
-
SHA1
980f2d902a250cd3298e2acf45bfbc31044cd8f5
-
SHA256
7bce4673ac5b7db9bd5d27076c770925c181745b784f806024413a3b5552eebf
-
SHA512
24501f6bb75078ebdb51999ed32ec1cea6ad57fe27dd48e12066de65dacf8570d0f875c79b9734f844f60042ad8c806d8293f9a92ee15d59fd9b68a50eec8a49
-
SSDEEP
12288:ZIlddxPHCo90S9LTXIXs5im4MkQbSJDTdx4Is//O1ScnBM:ZI/dLTXIXw4jQb+Tffs//gScS
Score3/10 -
-
-
Target
711/服务器(Server).exe
-
Size
1.4MB
-
MD5
00bfefeeeac3ce8ca86f04b712ff5f05
-
SHA1
22873ef23a8b57d49837f251eefdd2e7bea2c8ef
-
SHA256
cc0ca86e194d2849c2b6c273c46a6a5d2b4846a72de50033e8638724cae07786
-
SHA512
43021d34391a590278c52ea2cd7dba02aeb65455ca83eec8928c9f3b4350a0a6ef7c683dcad44221f27cb54bf0372440f8aae4bad03e1f3f88cdcb3d71fcb59b
-
SSDEEP
24576:rmYno3lV5tqWXfqxysa8nTHtJXc3iLrrNTz1Cogt5CBt+CAIHQT4r0:5no3xtqWvyysaovZTxPtjAIwT4r0
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
BIN/Fallen.dat
-
Size
11KB
-
MD5
6e84be985f390113dcfd9e0ae6e679a8
-
SHA1
4cbb7507643c377168f4afd682326a7a4cfcf909
-
SHA256
016f31616fd150276f0a882ecdb1781909f59a577d5940e8c5e5d023eebbea4c
-
SHA512
8e3a2a64a060702a04eb95401b13fc776d64d51f9a099ca944cc28f197d0f1db970fce49621dcb47985c1d446db406dc3a2ceacd05642be0edfc0aa87060ee59
-
SSDEEP
192:VfgA8bh/1FgDOl2nfSHWfeA9nNGYzJplgHs/YjjfGEszZfAxd28Jfktsw/Khy0aB:V4AGh/1FgDOl2fS2feKNGYzvlgHoYHI1
Score3/10 -
-
-
Target
BIN/SkinH.dll
-
Size
84KB
-
MD5
a00c474dc4ced90b8f5a692108c45dce
-
SHA1
e02722d30a6218523e9ddef287817788a4a9b9fc
-
SHA256
6504e515cbcf89cb98fd9f1a310125bfdf93e1f6a6bf0c64c0229e5670cac9b1
-
SHA512
e81b001379f94fabb71f1d6a019b81202e00da7338048b77d1728b40427689a32801419377d3e86c51c5e418cc3ccc328ee00adc69eaa575267bcaac8f477abd
-
SSDEEP
1536:uVNx6WNnPZ369Z3TCy5KcGhVek8Hvv144SNT7qgG7kQSeQmnouy8U:uVNx6WNnPZK9RTkieJw7uWoutU
Score5/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
BIN/主控端.exe
-
Size
164KB
-
MD5
9c97045bd30aac72a3e699e7d210d3b3
-
SHA1
34c474dbd987c35ff44c9f5aa96112fc5341205c
-
SHA256
a24938afe5a571ac4fb8a8a0acce89044c463b68893542cbba2faf8c22227f3c
-
SHA512
618ddd26070739e983cc30f7b8e80595e579ac87e0054cc269566ae18d109ab8a941b1ec3621c7431d485def4d0503b359a492ed1a428d50435bc8ade3206b62
-
SSDEEP
3072:HcubR8z3KRXnUs7VR1pSyt8XaMYY+SL5YObf7c:HdC3K2s7T1pSA8XaMYjojb
Score10/10-
Modifies firewall policy service
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
BIN/生成器.exe
-
Size
112KB
-
MD5
12b7cd8937076817aaeeab8c2e7fb303
-
SHA1
bf575fa5cd47b929cd12a6743afca9e540284049
-
SHA256
6fd227b6b7bcee8fd004737dc370a56f69d81337ce95036f597ce53da9c073b8
-
SHA512
4e83cc1596e1032724011ba108915d4ba275c75abe82882a9511931d669d60cb55c80cd0dc347d040e90fd08333c27a7e52fb8348959ce9f080b9f9c8334f330
-
SSDEEP
768:V/15bS4U0+pFVZzazjRzlRhRUOeQYAVe0EFlchGK79QdN/sfMmeIppTvw3C8Il1o:zQ0+rVZGrFDYAc5gGR/E0mlX9zn/
Score10/10-
Modifies firewall policy service
-
-
-
Target
Linux577
-
Size
474KB
-
MD5
9e96170c07c1566ac0d9d7b93e7928d1
-
SHA1
f762afafa8bf6b694bdc0bf00d8b4caa38d96ddc
-
SHA256
825cbeae503c8d9f4ff8a55d14042e83db220f4ed428e57b57fc48335d09f359
-
SHA512
e042b528351ad9f32fe37d60bc2b45bb7b7b2cc60c59a10e8eee00a4417c53afa55803f0e9e1196aad912f0b881cfe627dad38802181a0d447b80985344cbd55
-
SSDEEP
12288:Cd3IH4kbsBnbOXzFOS4NhgvMfA5z5m9NO554UA+:Cd4H4/OCI16O55h
Score1/10 -
-
-
Target
Mh.exe
-
Size
410KB
-
MD5
6b6fa473cd53b3b1d20fb7d0d7d94dd2
-
SHA1
ac8682258ec2a9556c5b06dac4b70aa7f408146b
-
SHA256
e4a5f740683ce26d8312c336e1a2d50aa5b56efe61fc793ff3f9dc08af2da30d
-
SHA512
59a132a04c621aad34c2130895e1c33f8a988a1d400b91ab712c4058ab6fefda698d01f395dd88f15cc8382f6826eee6550296b00981581a5b8abb10682fe9b0
-
SSDEEP
6144:66a0cy+o0eBYJw2acFyuItrcF7Faf3DROwunbNvTr:7XP0pJvacFyuItgZiTROwuxvTr
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
Mh1.exe
-
Size
410KB
-
MD5
0c80a0ef434aaecd6b1c888567935b97
-
SHA1
ad6730df896f7bb0e4379b8ac543c704f70f8292
-
SHA256
bb7850028720aace62daf55e8ba0bcf0b1040ebe20f3035873e9fd7130ced767
-
SHA512
7a8b601b6d027c0f017a620aa117c7183c05170aa6f90c4a2a177ad82b938f00b181007d69eea128b4ee738b2397a2448e2a33801daa102bfdf2b39f1917e6de
-
SSDEEP
6144:4ta0cy+o0ecIJw2qDukfgpFyuItrcF7Faf3DROwunbNvTr:eXP0yJvqDlQFyuItgZiTROwuxvTr
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
Mh2.exe
-
Size
410KB
-
MD5
c4fdfaf0caa9f98856f2135407025b7a
-
SHA1
0614d4a3db2045374c8308b84ad6864dd6db5869
-
SHA256
c08823a1d6ddb98b4ffd6488e8fb282c371ba4c30336770ddea7be50a33d4229
-
SHA512
903221846dc5498649af5a167ad1477d93007ce344c7de2399c3dd2489def93348637e08f6e03398e7f247b249b04e705b45f7123573fbf00f4b062b6899294a
-
SSDEEP
6144:SKa0cy+o0e3IJw2KpiBo+R9/21TkeVQVqOAh2/qIqUk3oGvNo:zXP0/JvKp+hN1bVqFh2rJYo
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
SETUP.exe
-
Size
193KB
-
MD5
920a14447a82c7b020501af6fe8c88d3
-
SHA1
bf3201d891dd6afc2a787dae1eae6e396af72c33
-
SHA256
0c273dfdf2af911e189997b04a9b76c48fcfe14fc07ae0fbf639618d2887cf7d
-
SHA512
bc365b6d5e961a06167e325a1193aea0239f56791dedbd13fb6d8c4d18736c5912eaf84683c5750f736017a95b09de2082a74f813a8a045f1d13eab546f0327a
-
SSDEEP
6144:mN2g1pIizw29kUhIOkk/DkzgsuIPDkzuJLie:mA+pL80/ozhvvie
Score1/10 -
-
-
Target
TX98
-
Size
83KB
-
MD5
5ba66307564858dfaaf671c78e11f37d
-
SHA1
45fb2fbd1eb2d53a0c71c2d5fb0397711df99e54
-
SHA256
0468b78c9eef6bde2367717d38347af54fce3df871382789cfb3780fc2731543
-
SHA512
e7edabc9060768d875f7dcc98fdb4552a8311d0c1ad408a70e7f67c7c6b0d15a1ea4e002fe92dc52f0379417f941169683e3922b788783769eef0b8310bf4051
-
SSDEEP
1536:lCudpNeZUCBis65ifKnVsrTvC/LMpDLul4b2bQHb3S+aHAdnwU:oyIUAi/5/yCTkDNqE7i+qAB1
Score1/10 -
-
-
Target
TX981
-
Size
4.9MB
-
MD5
0874f1d99a37f34bb154013bc827bc3f
-
SHA1
ebb072a3c4ed3722f4649d490593d3c1e7dacd88
-
SHA256
da1dc452102758781c6a5a9f48c650e8efa745cbaab050f30c14e7b558946efd
-
SHA512
9552292a2d588969fd9a035a1946ccbb0f4c4ae806ed8faacb98f52e2f9f1395e9c65f2976751f393a46fbee5184316b072bae3517d915fa0bf5fea72b12a722
-
SSDEEP
24576:OjTY+ufmnFLLk53fRlLpipTBwLPwlrc4v6nka:OjTY+ukvkZfRlLgpTBwLPwljCn/
Score1/10 -
-
-
Target
TX982
-
Size
1.8MB
-
MD5
bba8b35378fe7872ab2b5026f12b5e72
-
SHA1
17d52f40b6cd116e81685beb91bd0b14dd9114f2
-
SHA256
97192a841a178aed607674f7bf457cf53ce025571fd47da842d3ffd0ecf4d4f5
-
SHA512
d97a98093e55de5c3eca87a8e17fa8d13e1240aae3ef4634674e5f66a4f5eee91a27d2f6491e45e474f75a1e9740c31ecf94cfef3de5095fee418e37e15431ee
-
SSDEEP
49152:bNihhOhBNhKhyu7cYx9z2rAnKsfROaFyZB5Ss5+Nu:5ihhOhBNhKhRwwJ2roMaFyZB5Ss5+Nu
Score1/10 -
-
-
Target
TX984
-
Size
977KB
-
MD5
fdd1c9ad7f04868d4bed04f8708bec5d
-
SHA1
bc49a05e5a38ca2a9b0e0ef99819a8ff833b378f
-
SHA256
8b5355748604150f8ce643305878c0d35e33a59bdcd25de9861497557b972359
-
SHA512
3436b51881e997d38c271224f868aad2b5d11fa262c986c12ec75c70f3667742673f99386f7052df2d036ce2dc5efbd0fd5d51049dcb0589a7f13fadff81c205
-
SSDEEP
12288:erXiRPpwBSHJB2A6f13P5D79dmuxlNzJs4dm3yxiD1WjfGAIFDFvyq766Pd4YTQ0:jvwlP5DJdrRJsskWU5RPd82ByWwK3R
Score1/10 -
-
-
Target
TX985
-
Size
1.1MB
-
MD5
5ab68ecc6f6262c76fc1875972a508dd
-
SHA1
dac088cc4ef5377efcf81a325c8516e71a792672
-
SHA256
aff22363942228229a1b40a4581f5e0593714d553ed5f2ea7aae15612b28142f
-
SHA512
e0837b8ec1632bc3493d79236dba2bca402f1d77e5ad9814c5df6f8b59115f69b71189a8d345df0ad32ed01e78ac3d151741643669ddc23595d9f74b7b7731d3
-
SSDEEP
12288:v0gZjw/mGyri7g8Nyllxm+KYCy1aPrfWf47b/d+qdeaQklaHhmM7tL+GSPlXJZru:VETLPAFHcMJ6l5ZZVt6Ai3YKhAxtK
Score1/10 -
-
-
Target
TX986
-
Size
1.1MB
-
MD5
8adfc3cc5e225440684e74b7f7994933
-
SHA1
fbc72c5bc436a7565d994886e238b80731e373b8
-
SHA256
746fd8e299a5542658c051d08765f327f3c3e48248698a29cf57f151a282b157
-
SHA512
e9dda159470640c11a6832f8d6be355d90b32c9c1fa7b938b47fc37fdeb459ccb17a8edeed8e0c065f107c7b04eed4b8dea5290543564a7732d3ae8c4c57acfa
-
SSDEEP
24576:qsFkPsgRseqq7s7L23vHkF/CZ5lfwNjcpzdmMqMSjG2oedCp/mpyS1tFhextK:leLsL23vEF/CZ5lfwNjcpzdmMqMSjG2F
Score1/10 -
-
-
Target
bjyk.exe
-
Size
377KB
-
MD5
ca7c977b5b315dd62b0189f2619764db
-
SHA1
42ce52b22e5017990660148ba6c5ff0097c5af01
-
SHA256
c6d90ced12fb16ca9ae112787ce6d29379b06e0ba0a90595e337c07453a571fa
-
SHA512
b7be48e4c7ca12e0059a6b0064eaa8e8c1f4bbd7ed62c2a34671a5875ba25715b45b780d54e58f5429b2cade56244f6a820a46c0a45b0f7e9d4567213a499427
-
SSDEEP
6144:xsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90Q1vPjrVCTH3mwVaYo7/8FaA/:OtWUzJq8YPbncT3+vXPjc3xVaYo7UFyO
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
ceshi.exe
-
Size
303KB
-
MD5
3ddd0fe1b5a21d08007805185072bdd0
-
SHA1
174d3667b9f266b139f5892c961e7609a6134d79
-
SHA256
42676dd65d1dbd81f8f8e751790b4412c5a179feb7edb5460cf230463f141299
-
SHA512
2b633d6be693f46ac07e17c43a7389655e7e7e0ded027e9a82ca120139e0e44c68d1f76b32e34501bb9d4d3dcc9d44997c2803999b9aa1f2fec8f531464fdd9f
-
SSDEEP
6144:rt8nMnJqNMFSTLeYVvI8vw+Ie51BMz3VolJXUVLAW5w7wIAsKCEc4YgUFk6Oa7HS:doNMsy8I6KFojXUaWQ5KCqOvOaJt+
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
Server Software Component: Terminal Services DLL
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
ddos.exe
-
Size
38KB
-
MD5
d68ab23225bf1388a7a16963356a87b6
-
SHA1
09ca273cdecf55b67eb20ced2e11a64b52058044
-
SHA256
3e20b4ca4fea293b596c23328a06207c301d135774e461ff5c5e7b84784ffd47
-
SHA512
ae38756fe73206ec9fdbd4b1c8e57c6e880630385bd5fab2e57ec3f61eea4f3a7d9aa58c8f593eb68d8a6c5df116e24a19f7bdc771d7d97eec7f7cb602d9f234
-
SSDEEP
768:mACSpftPzWIYHqfwyk0vsYRG3IUlcV0njosBRtmwOZO4KaAtGB9wMCC:mXSLiIask0vzA3IUlcVIjLB9nMD
Score10/10-
Modifies firewall policy service
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
dhl.exe
-
Size
311KB
-
MD5
1170aaabfc50ba1d8afd2bdd3fde5e33
-
SHA1
a345658edc7df429c515bc949d45661c7446136d
-
SHA256
022600b997847cb9795b58cbef8b1058760d3037158f1d8890825f20e3f8745e
-
SHA512
333c8e2af8f7b845abd897cd7d86ab68545ef2bddfda6f24216aa7fffeb39594756a666500fa3495205505bb485e4659c9e66f3c639d34bc12cf929b00950ea6
-
SSDEEP
6144:eKYOSlWhmtC3G/414qs8Pz5Trd8Coc1O9gRyBDqP6K0Q0wKnL:e1/WYtwG24Qp+oOGROrK0W0L
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
mh3.exe
-
Size
361KB
-
MD5
e48e887d5308de6e88b0edbcf0c05664
-
SHA1
b78c4d499717346c6da33f9d2a884aaaee74ebcc
-
SHA256
e18bc151f005b441f6003b4fc096583c8e4f312bc6439ecffc91b190d73171a2
-
SHA512
5068add9bf1681ffb27c9e4867f80fe4ee484a3260b12c501988caaed1ce0876e295e1809b81c47bf2be4994d2e10728b12f84a3e84a212718a0fbc816cb68f7
-
SSDEEP
6144:VLTG0GxC/dijE8O1udvvFsueJ+kXpJdkDStVvXGxcS985NRW1W:VfG7ggEN2Vsum+2pJ2YvXGKHW1W
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
-
-
Target
server.exe
-
Size
333KB
-
MD5
44283b85db8476e3dbcab39e644a76bb
-
SHA1
afed9e102d07782074a63b8f5fae6ac0ee96ec1f
-
SHA256
5e213f963cb6c381a34388e9d66456cc044c395d4921440acb9d80a9625803b2
-
SHA512
a5f5dd9ac7116971c65ad376d31b463d0b44b6cced3db08593030eb8ccd64e1fefa1f2c0531004dc347407c2f4f8090bab860e6485f91c3a31eb49b44df78bdf
-
SSDEEP
6144:EgiFIfdAcDJiMm02wKURWl3I+q4NqBqAG:ri2dTDJiMmRvUROI+q4UBqAG
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
-
-
Target
smss.exe
-
Size
68KB
-
MD5
5e323d757a6a07aecf4e921632c567d8
-
SHA1
8100e76c9443f22de4f39681a1ed4116733078ad
-
SHA256
0356645bf1e19454452219fad72e96bfb0a4c1186ed605be48613ef7239c719e
-
SHA512
69990c893139314f30cd9d84173bad001bd6195438202c187f162e0e89f5ee59d336d34ea15b6e1b77dc51af85e9a4d2623ccfdbbebc34d1e4719e1cfe11fcd4
-
SSDEEP
768:CDADeZDX10q/CDmw2z2eMKsAEp/CpUEjlnsC6/6CymTy28c5iqe/RoA8SaQSzNGu:CDmcanD6z2emCnqX5Q/RoAq1mI6czt
Score1/10 -
-
-
Target
xiaoqi.exe
-
Size
373KB
-
MD5
6efca10c8e17afe05d27d95fccb716f7
-
SHA1
301249f3ed1752d356190ef0d2c69a7146230456
-
SHA256
259c407bda1695be09f554f0d1bd0f0a0d4b01c6a23a8ea1d2e37cb489f36610
-
SHA512
58ceccb5b792477525657389f1ba53acd752ad90eea4a95ac11caa6c4e1818563d0a185befdd320ede7ea96d558d0f71d718ae5593c7a38e09590181b7c9db9b
-
SSDEEP
6144:Q7Bt4haSZ22Q450Jo/2iFqLktLk3tS/Q8gslkdmlpI/EmUhla8GmUe/0M+JEbUcI:0BeaSZrX0JouiFqL0LqS4lKkdmlZS8GJ
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
xiaose.exe
-
Size
537KB
-
MD5
494303294715f5ffad7ad3f43b73b00b
-
SHA1
6c1948f7edf115cd1f13cd170b882077930be150
-
SHA256
27ce020f7cdb4b775b80bd6e3ef1d16079401e0d45cfd28ffbd8c63ff2ddf7d7
-
SHA512
6a96af34a8443876222d61d6d99041f5f749d062bb65c2e580e9d50b2c7588c510d3c71fd72b0281f17a76bf76aee345c3227ae6d7502623fe600a2cd6da960b
-
SSDEEP
12288:ItucH+fOkEXRTrC6/mdD0ehe2YvXGKHW1W:G5/mdD0ehtYOKHWY
Score10/10-
Modifies firewall policy service
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
yk.exe
-
Size
377KB
-
MD5
74a4b2735839c883bd1bd753d7626595
-
SHA1
011d7a1d087fea34d6af4c1b661db525cd8cb858
-
SHA256
b00dc6e609c148ce7ee7a46ee1ca1a27f75468df22604a8a4ba5bd3b30be10bd
-
SHA512
a9ce015efc94636ff959348fdf18a45bd3cbefd8ac85b26f14d63bc1688d381bd1c9f9e947ac61cb8e8a2aa18a78f3d6e5f7a530802a81276cb6cd859a881ae5
-
SSDEEP
6144:ysItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oXGxJOl9RtSxmGXNVeWxpHfaDXBi:ftWUzJq8YPbncT3+YqtumGKkajB/0qE
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Pre-OS Boot
1Bootkit
1