Rectifyq📃Title: GhostEmperor: From ProxyLogon to kernel mode
📅Date: 2021-09-30
🔗References:
- https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: campaign-analysis
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer= Kaspersky
- target-information=“Malaysia”
- target-information=“Afghanistan”
- target-information=“Egypt”
- target-information=“Ethiopia”
- target-information=“Indonesia”
- target-information=“Thailand”
- target-information=“Vietnam”
- malpedia=“GhostEmperor”
- online-service=“3b16bb5a-eb4f-4603-a909-bebc5df4a46d”
- malpedia=“Ladon”
- malpedia=“MimiKatz”
- malpedia=“PowerCat”
- threat-actor= GhostEmperor
- mitre-attack-pattern=[]
MISP event uuid: c5796e2a-1297-4f8f-b559-00169e2fb88f
Indicator of Compromise (IoCs)
type,value,comment
md5, 012862165ec105a44fea14face53492f, 'Stage 1 – PowerShell Dropper'
md5, 6a44fdd66ab841c33949620666ca847a, 'Stage 2 – Service DLL'
md5, 2dd0885f84b890883a396030db841d28, 'Stage 2 – Service DLL'
md5, 0bbfba106fbb9e310330dc87c32cb6d1, 'Stage 4'
md5, 6685323c61d8edb4a6e35796af34d626, 'Stage 4'
md5, be38d173e4e9118bdc2e83fd5f90be3b, 'Post-exploitation'
md5, f078ac9b012c503d35254af9629d3b67, 'Post-exploitation'
md5, 7394229455151a9cd036383027a1536b, 'Driver'
md5, 1bc301aa9b861f762ce5f376228e992a, 'Stage 2 – Service DLL No sample in VT\r\nLast check:09/05/2025'
hostname, imap.newlylab.com, ''
hostname, mail.reclubpress.com, ''
hostname, imap.webdignusdata.com, ''
domain, freedecrease.com, ''
domain, aftercould.com, ''
domain, datacentreonline.com, ''
hostname, game.newfreepre.com, ''
ip-dst, 27.102.113.57, ''
ip-dst, 27.102.113.240, ''
ip-dst, 27.102.114.55, ''
ip-dst, 27.102.115.51, ''
ip-dst, 27.102.129.120, ''
ip-dst, 107.148.165.158, ''
ip-dst, 154.223.135.214, ''
Full IOCs available in Rectifyq’s MISP