gh0strat | 8d64aff2b644ac993389c1ad1ec2b47c459c63ddd7f5815ea353a49014ed4a99 | Triage

Submit
Reports

Overview

overview

Static

static

8d64aff2b6...99.exe

windows7-x64

8d64aff2b6...99.exe

windows10-2004-x64

Sharing

General

Target

8d64aff2b644ac993389c1ad1ec2b47c459c63ddd7f5815ea353a49014ed4a99
Size

177KB
Sample

221124-2cxl5sgc7v
MD5

d2e188657a3a3706547636099ee91e4b
SHA1

a900f8472495d7ebf0c718ad6e555d7bda4e04a6
SHA256

8d64aff2b644ac993389c1ad1ec2b47c459c63ddd7f5815ea353a49014ed4a99
SHA512

1ee1efc7c74c2a75870e5d16cb4220e4f6113aafd24ce9ad9104b02909a499c5a3d34e93d897d71a9ddfce2238b2c4666b5b442d661944bb03cf072d592d2460
SSDEEP

3072:ezZCwyESXpbo6aywuxuWuHZQEIplVwE7T2f46S7O+FI7aICpsX:cyLs6ayFus7j7i

Score

10^/10

gh0strat persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

8d64aff2b644ac993389c1ad1ec2b47c459c63ddd7f5815ea353a49014ed4a99.exe

Resource

win7-20221111-en

gh0strat persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

8d64aff2b644ac993389c1ad1ec2b47c459c63ddd7f5815ea353a49014ed4a99.exe

Resource

win10v2004-20221111-en

gh0strat persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  8d64aff2b644ac993389c1ad1ec2b47c459c63ddd7f5815ea353a49014ed4a99
- Size
  
  177KB
- MD5
  
  d2e188657a3a3706547636099ee91e4b
- SHA1
  
  a900f8472495d7ebf0c718ad6e555d7bda4e04a6
- SHA256
  
  8d64aff2b644ac993389c1ad1ec2b47c459c63ddd7f5815ea353a49014ed4a99
- SHA512
  
  1ee1efc7c74c2a75870e5d16cb4220e4f6113aafd24ce9ad9104b02909a499c5a3d34e93d897d71a9ddfce2238b2c4666b5b442d661944bb03cf072d592d2460
- SSDEEP
  
  3072:ezZCwyESXpbo6aywuxuWuHZQEIplVwE7T2f46S7O+FI7aICpsX:cyLs6ayFus7j7i
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Blocklisted process makes network request
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets file execution options in registry
  persistence
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat

© 2018-2024

Terms | Privacy