gh0strat | f38acdac6bca307674f1329c73c00704080fa444f331c73cbb775ea81e646581 | Triage

Submit
Reports

Overview

overview

Static

static

f38acdac6b...81.exe

windows7-x64

f38acdac6b...81.exe

windows10-2004-x64

Sharing

General

Target

f38acdac6bca307674f1329c73c00704080fa444f331c73cbb775ea81e646581
Size

107KB
Sample

221124-btzjyshh56
MD5

0852e655acfacb658792174480ee42f0
SHA1

12236c070bd5b38f2271ac8ff7240e0e347783c1
SHA256

f38acdac6bca307674f1329c73c00704080fa444f331c73cbb775ea81e646581
SHA512

f967a9d9128d1f2cc8a38b986d10ac5605690de3b01139446ff41badff4ee80dea94f59f6e234f2cbe578e55373e8439542608bd78eaf697df0c746404c7b941
SSDEEP

3072:IFz90hq+Yc7Hf4oa5r5sojsj+oMep6Gm1j:Inycc7/4D95sqBFm6GmN

Score

10^/10

gh0strat evasion persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

f38acdac6bca307674f1329c73c00704080fa444f331c73cbb775ea81e646581.exe

Resource

win7-20221111-en

gh0strat persistence rat

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

f38acdac6bca307674f1329c73c00704080fa444f331c73cbb775ea81e646581.exe

Resource

win10v2004-20220901-en

gh0strat evasion persistence rat

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  f38acdac6bca307674f1329c73c00704080fa444f331c73cbb775ea81e646581
- Size
  
  107KB
- MD5
  
  0852e655acfacb658792174480ee42f0
- SHA1
  
  12236c070bd5b38f2271ac8ff7240e0e347783c1
- SHA256
  
  f38acdac6bca307674f1329c73c00704080fa444f331c73cbb775ea81e646581
- SHA512
  
  f967a9d9128d1f2cc8a38b986d10ac5605690de3b01139446ff41badff4ee80dea94f59f6e234f2cbe578e55373e8439542608bd78eaf697df0c746404c7b941
- SSDEEP
  
  3072:IFz90hq+Yc7Hf4oa5r5sojsj+oMep6Gm1j:Inycc7/4D95sqBFm6GmN
Score

10^/10

gh0strat persistence rat evasion
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Modifies firewall policy service
  evasion
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratevasionpersistencerat

© 2018-2024

Terms | Privacy