gh0strat | 5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25 | Triage

Submit
Reports

Overview

overview

Static

static

1

5681f93f1d...25.exe

windows7-x64

5681f93f1d...25.exe

windows10-2004-x64

Sharing

General

Target

5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25
Size

12.9MB
Sample

221123-lr42rsfe7t
MD5

a93181bb75efe8ad296d3853f36ed19b
SHA1

31da220231c677a097f9bc6b4740e67775b7b0f5
SHA256

5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25
SHA512

6bdd6b8518d3325a3d6eb1ed3b529119e9d1c9c5ca8c6ae5655bcb9c5bd614dc94c7227fcde02e9babb25c18532e12f3d9846994ba62c46c0d068c310e8eaf6a
SSDEEP

196608:UNDjo2ZJPJNHIhzGcHz3j8xwPpWrqUrmpvJIkbrQXho+CiFiSLvsJ4KCXyan5MUi:UZxyRv8xQpW+JERo+tXCdCLn+

Score

10^/10

gh0strat persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe

Resource

win7-20221111-en

gh0strat persistence rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25.exe

Resource

win10v2004-20220901-en

gh0strat persistence rat

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25
- Size
  
  12.9MB
- MD5
  
  a93181bb75efe8ad296d3853f36ed19b
- SHA1
  
  31da220231c677a097f9bc6b4740e67775b7b0f5
- SHA256
  
  5681f93f1dc53dfa98bac3d8ac6ffe65726b64401c45cfea0dde7d8a7cf5fc25
- SHA512
  
  6bdd6b8518d3325a3d6eb1ed3b529119e9d1c9c5ca8c6ae5655bcb9c5bd614dc94c7227fcde02e9babb25c18532e12f3d9846994ba62c46c0d068c310e8eaf6a
- SSDEEP
  
  196608:UNDjo2ZJPJNHIhzGcHz3j8xwPpWrqUrmpvJIkbrQXho+CiFiSLvsJ4KCXyan5MUi:UZxyRv8xQpW+JERo+tXCdCLn+
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat

© 2018-2024

Terms | Privacy