Tricks and Treats: GHOSTPULSE’s new pixel-level deception — Elastic Security Labs
Tags
| attack-pattern: | Data Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Tool - T1588.002 Powershell - T1086 |
Common Information
| Type | Value |
|---|---|
| UUID | 85d1ded2-fcc1-4e96-a67b-a2af82517ca6 |
| Fingerprint | ad9053292d9d87d2 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Oct. 19, 2024, midnight |
| Added to db | Oct. 18, 2024, 10:15 p.m. |
| Last updated | Dec. 17, 2024, 7:36 p.m. |
| Headline | Tricks and Treats: GHOSTPULSE’s new pixel- level deception |
| Title | Tricks and Treats: GHOSTPULSE’s new pixel-level deception — Elastic Security Labs |
| Detected Hints/Tags/Attributes | 39/1/16 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.elastic.co/security-labs/tricks-and-treats |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 306 | ✔ | Elastic Security Labs | https://www.elastic.co/security-labs/rss/feed.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | winrar01.b-cdn.net |
|
| Details | Domain | 4 | reinforcenh.shop |
|
| Details | Domain | 4 | stogeneratmns.shop |
|
| Details | Domain | 4 | fragnantbui.shop |
|
| Details | Domain | 4 | drawzhotdog.shop |
|
| Details | Domain | 4 | vozmeatillu.shop |
|
| Details | Domain | 4 | offensivedzvju.shop |
|
| Details | Domain | 4 | ghostreedmnu.shop |
|
| Details | Domain | 4 | gutterydhowi.shop |
|
| Details | Domain | 2 | riderratttinow.shop |
|
| Details | File | 219 | setup.exe |
|
| Details | File | 1 | setup_light.exe |
|
| Details | sha256 | 2 | 57ebf79c384366162cb0f13de0de4fc1300ebb733584e2d8887505f22f877077 |
|
| Details | sha256 | 2 | b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae |
|
| Details | Yara rule | 1 | rule Windows_Trojan_GHOSTPULSE_1 {
meta:
author = "Elastic Security"
creation_date = "2024-10-15"
last_modified = "2024-10-15"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "GHOSTPULSE"
threat_name = "Windows.Trojan.GHOSTPULSE"
license = "Elastic License v2"
strings:
$stage_1 = { 49 63 D0 42 8B 0C 0A 41 03 CA 89 0C 1A 8B 05 ?? ?? ?? ?? 44 03 C0 8B 05 ?? ?? ?? ?? 44 3B C0 }
$stage_2 = { 48 89 01 48 8B 84 24 D8 00 00 00 48 8B 4C 24 78 8B 49 0C 89 08 C7 44 24 44 00 00 00 00 }
condition:
any of them
} |
|
| Details | Yara rule | 1 | rule Windows_Trojan_GHOSTPULSE_2 {
meta:
author = "Elastic Security"
creation_date = "2024-10-10"
last_modified = "2024-10-10"
os = "Windows"
arch = "x86"
category_type = "Trojan"
family = "GHOSTPULSE"
threat_name = "Windows.Trojan.GHOSTPULSE"
license = "Elastic License v2"
strings:
$a1 = { 48 83 EC 18 C7 04 24 00 00 00 00 8B 04 24 48 8B 4C 24 20 0F B7 04 41 85 C0 74 0A 8B 04 24 FF C0 89 04 24 EB E6 C7 44 24 08 00 00 00 00 8B 04 24 FF C8 8B C0 48 8B 4C 24 20 0F B7 04 41 83 F8 5C }
condition:
all of them
} |