General

  • Target

    036fb979c198e1cba60e8ef3b6f9170121d4f346a0dee342711b18d809605fc5

  • Size

    213KB

  • Sample

    250701-f8w5lasmv4

  • MD5

    59e5395604979990fbf63f3033c048a6

  • SHA1

    9dc2d16da979c2d464801be55073f0426ccf96db

  • SHA256

    036fb979c198e1cba60e8ef3b6f9170121d4f346a0dee342711b18d809605fc5

  • SHA512

    6fbe3c67d98aa5e8111f163510996cf8f968012c76f2f3f6f62e7728983e20f38283ea968578e7b431f54954e6a0d113558588486fa3f4169c7d342e05237660

  • SSDEEP

    3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkTF:X2vnSwjaOcADw9cUeCOf

Malware Config

Extracted

Family

gh0strat

C2

107.163.241.193:6520

http://107.163.241.181:16300/

http://107.163.241.182:12354/login.php

Attributes
  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))

    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

Targets

    • Target

      036fb979c198e1cba60e8ef3b6f9170121d4f346a0dee342711b18d809605fc5

    • Size

      213KB

    • MD5

      59e5395604979990fbf63f3033c048a6

    • SHA1

      9dc2d16da979c2d464801be55073f0426ccf96db

    • SHA256

      036fb979c198e1cba60e8ef3b6f9170121d4f346a0dee342711b18d809605fc5

    • SHA512

      6fbe3c67d98aa5e8111f163510996cf8f968012c76f2f3f6f62e7728983e20f38283ea968578e7b431f54954e6a0d113558588486fa3f4169c7d342e05237660

    • SSDEEP

      3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkTF:X2vnSwjaOcADw9cUeCOf

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v16

Tasks