gh0strat | 646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

646e41913a...a1.exe

windows7-x64

646e41913a...a1.exe

windows10-2004-x64

Sharing

General

Target

646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1
Size

111KB
Sample

221121-qwn9bsbh32
MD5

32e81745a73a137f0f62dc6b72f14cc0
SHA1

6282016eb77734eef1e93c1cac40559969919fbb
SHA256

646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1
SHA512

2e62ec8afdfbf457d2ace589f33776e7a835ae3f8cde8fbf33b081015c83a7ac954ad001e9a066a7b241f7875cb5bd51e7363b147372f06b45f4277288b5f397
SSDEEP

1536:i8uMs+Jc7yvqPbsm8QfLpcILGoka7V2uJp1VcM/vfh7EP8Z8IeIgD31:+N+ibsmUul0uJXVb/Xh7EP88IeIgD

Score

10^/10

gh0strat persistence rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe

Resource

win7-20220812-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1.exe

Resource

win10v2004-20220812-en

gh0strat persistence rat

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Targets

- Target
  
  646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1
- Size
  
  111KB
- MD5
  
  32e81745a73a137f0f62dc6b72f14cc0
- SHA1
  
  6282016eb77734eef1e93c1cac40559969919fbb
- SHA256
  
  646e41913ad9aeaa7bb848ac7a7f70834145700cc7018da923b2ec0b01b5faa1
- SHA512
  
  2e62ec8afdfbf457d2ace589f33776e7a835ae3f8cde8fbf33b081015c83a7ac954ad001e9a066a7b241f7875cb5bd51e7363b147372f06b45f4277288b5f397
- SSDEEP
  
  1536:i8uMs+Jc7yvqPbsm8QfLpcILGoka7V2uJp1VcM/vfh7EP8Z8IeIgD31:+N+ibsmUul0uJXVb/Xh7EP88IeIgD
Score

10^/10

gh0strat rat persistence
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratpersistencerat

© 2018-2025

Terms | Privacy