gh0strat | ec827ffc5601ab5618483edb34adbce6ef5d70c5715118135890e2bcca8a6550 | Triage

Submit
Reports

Overview

overview

Static

static

ec827ffc56...50.exe

windows7-x64

ec827ffc56...50.exe

windows10-2004-x64

Sharing

General

Target

ec827ffc5601ab5618483edb34adbce6ef5d70c5715118135890e2bcca8a6550
Size

36KB
Sample

220927-nlpq1adch9
MD5

c71e89f8fc213c73ab59fc3e62c258f3
SHA1

2dfb26333f75d629b21ccf50e3612b4a9e2c4a0f
SHA256

ec827ffc5601ab5618483edb34adbce6ef5d70c5715118135890e2bcca8a6550
SHA512

83960b66993ffb45b2962b38621ee67cb4a8b333dbb6d52d84cb88c61c7c27af0dac09210dfa8633b7f7455743203333392c9e7a89623478b33ba3c3bfdb5606
SSDEEP

192:60RmaRBUda7n9JlU2g1jJMOEyKbIYymt5XTtEyKihoynlwHLHTgH9N2tpgRmd8MS:60oBdq9JGqO+NxhcAdN2tpgwd5ASc

Score

10^/10

gh0strat evasion rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

ec827ffc5601ab5618483edb34adbce6ef5d70c5715118135890e2bcca8a6550.exe

Resource

win7-20220812-en

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

ec827ffc5601ab5618483edb34adbce6ef5d70c5715118135890e2bcca8a6550.exe

Resource

win10v2004-20220901-en

gh0strat evasion rat trojan upx

windows10-2004-x64

25 signatures

150 seconds

Malware Config

Targets

- Target
  
  ec827ffc5601ab5618483edb34adbce6ef5d70c5715118135890e2bcca8a6550
- Size
  
  36KB
- MD5
  
  c71e89f8fc213c73ab59fc3e62c258f3
- SHA1
  
  2dfb26333f75d629b21ccf50e3612b4a9e2c4a0f
- SHA256
  
  ec827ffc5601ab5618483edb34adbce6ef5d70c5715118135890e2bcca8a6550
- SHA512
  
  83960b66993ffb45b2962b38621ee67cb4a8b333dbb6d52d84cb88c61c7c27af0dac09210dfa8633b7f7455743203333392c9e7a89623478b33ba3c3bfdb5606
- SSDEEP
  
  192:60RmaRBUda7n9JlU2g1jJMOEyKbIYymt5XTtEyKihoynlwHLHTgH9N2tpgRmd8MS:60oBdq9JGqO+NxhcAdN2tpgwd5ASc
Score

10^/10

evasion trojan gh0strat rat upx
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- UAC bypass
  evasion trojan
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratevasionrattrojanupx

© 2018-2025

Terms | Privacy