General

  • Target

    95eee43bc6243b3946bf742b944c2a8a181436d2d2546175d9adfb137e35ea2f

  • Size

    214KB

  • Sample

    250701-gtspas1wct

  • MD5

    4cbdbe50bb53d753816f41ba4f4418fd

  • SHA1

    f8a7fa0965c98847966b70215a7a2c63f5c95b7c

  • SHA256

    95eee43bc6243b3946bf742b944c2a8a181436d2d2546175d9adfb137e35ea2f

  • SHA512

    fcebff3b971d2a766b3662e172adf5b68899a0211ab78ef5a8308c96457167e1f48b46e16fd82e135358dd9d4013ee85f42f118949ed99052a93a826af2e78f3

  • SSDEEP

    3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkTF:X2vnSwjaOcADw9cUeCOf

Malware Config

Extracted

Family

gh0strat

C2

107.163.241.193:6520

http://107.163.241.181:16300/

http://107.163.241.182:12354/login.php

Attributes
  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))

    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

Targets

    • Target

      95eee43bc6243b3946bf742b944c2a8a181436d2d2546175d9adfb137e35ea2f

    • Size

      214KB

    • MD5

      4cbdbe50bb53d753816f41ba4f4418fd

    • SHA1

      f8a7fa0965c98847966b70215a7a2c63f5c95b7c

    • SHA256

      95eee43bc6243b3946bf742b944c2a8a181436d2d2546175d9adfb137e35ea2f

    • SHA512

      fcebff3b971d2a766b3662e172adf5b68899a0211ab78ef5a8308c96457167e1f48b46e16fd82e135358dd9d4013ee85f42f118949ed99052a93a826af2e78f3

    • SSDEEP

      3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkTF:X2vnSwjaOcADw9cUeCOf

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Gh0strat family

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v16

Tasks