gh0strat | 6ac1a3bdd906172a774fa64d06248d5a394daa53660249b867501af2a4d9e916 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

6ac1a3bdd9...16.exe

windows7-x64

6ac1a3bdd9...16.exe

windows10-2004-x64

Sharing

General

Target

6ac1a3bdd906172a774fa64d06248d5a394daa53660249b867501af2a4d9e916
Size

162KB
Sample

221011-wvj6wahbcj
MD5

6540da98c6bf8f8faa145222d5cc3870
SHA1

135d89f6bd483af7ebe5f404c07ddbed539305df
SHA256

6ac1a3bdd906172a774fa64d06248d5a394daa53660249b867501af2a4d9e916
SHA512

84d3922116206182ead4dfc1aee3db736c83423a4ebf447750ff085044c8d4592530fddc97bf910a56324b161d742ce19bbc4649188b27660351c123e726148e
SSDEEP

3072:6584GfIcKMq0FvNc4g441eja0doSji58hChiLotV:6mfI9MbFvNc4XkSjdot

Score

10^/10

gh0strat persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

6ac1a3bdd906172a774fa64d06248d5a394daa53660249b867501af2a4d9e916.exe

Resource

win7-20220812-en

gh0strat persistence rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

6ac1a3bdd906172a774fa64d06248d5a394daa53660249b867501af2a4d9e916.exe

Resource

win10v2004-20220812-en

gh0strat persistence rat

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  6ac1a3bdd906172a774fa64d06248d5a394daa53660249b867501af2a4d9e916
- Size
  
  162KB
- MD5
  
  6540da98c6bf8f8faa145222d5cc3870
- SHA1
  
  135d89f6bd483af7ebe5f404c07ddbed539305df
- SHA256
  
  6ac1a3bdd906172a774fa64d06248d5a394daa53660249b867501af2a4d9e916
- SHA512
  
  84d3922116206182ead4dfc1aee3db736c83423a4ebf447750ff085044c8d4592530fddc97bf910a56324b161d742ce19bbc4649188b27660351c123e726148e
- SSDEEP
  
  3072:6584GfIcKMq0FvNc4g441eja0doSji58hChiLotV:6mfI9MbFvNc4XkSjdot
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Blocklisted process makes network request
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets file execution options in registry
  persistence
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat

© 2018-2025

Terms | Privacy