gh0strat

Sharing

Copy URL

Twitter E-mail

General

Target

fe76f77d15f401a592f6fa149958f3dfa56c428f7fd15299cb54278fb2c66a22
Size

1.5MB
Sample

221124-tw5g4afb29
MD5

1f7e6bb95c87103f7830a824ad1ad0f3
SHA1

b437390a5b6b994e3cbee3211d0a0f8c4a45fcb3
SHA256

fe76f77d15f401a592f6fa149958f3dfa56c428f7fd15299cb54278fb2c66a22
SHA512

e93c4272fa6e4e72eaffbf37faae5f8e2041676ab414b7b6777675bb29afa13197dbf45a0a2bd7f4bc440efd6df537f2ccd1e4af8c9f3f727f402c83fb2b4596
SSDEEP

24576:/4GZjNbkYb2LhHYBJwLSNGEx4OO/PqzMyNw+FnAtzLT4ZP5MVHd1PCAyBH85EfPk:/Rpbk54ByGNGYD8kL4UZuldNClF86Sv

Score

10^/10

Malware Config

Targets

- Target
  
  COMDLG32.OCX
- Size
  
  137KB
- MD5
  
  d76f0eab36f83a31d411aeaf70da7396
- SHA1
  
  9bc145b54500fb6fbea9be61fbdd90f65fd1bc14
- SHA256
  
  46f4fdb12c30742ff4607876d2f36cf432cdc7ec3d2c99097011448fc57e997c
- SHA512
  
  9c22bc6b2e7dbcd344809085894b768cfa76e8512062c5bbf3caeaa2771c6b7ce128bd5a0b6e385a5da777d0d822a5b2191773cc0ddb05abe1fa935fa853d79d
- SSDEEP
  
  3072:VESIiWD8uq4hCqUt6mqD1gRshBgH/voqJrwo2CocrJbQN6N2TRqEydzXS0:VETz566VgRyOJ0oDxQRHf
Score

1^/10
behavioral1 behavioral2
- Target
  
  MSADODC.OCX
- Size
  
  115KB
- MD5
  
  d827412fc2d9c7bdc190a457206270ae
- SHA1
  
  14045b78fb848532b677bf8114c8107d21c28fa8
- SHA256
  
  d7a81a9de2c737673301d1d695bf31dfc2bc9bc5db2df18f85b4d4fa2e590a91
- SHA512
  
  975214f4c09295f09f3fc902fafec05d8179beccb44027851fb14177b350b65a02ba42f5f955b417e24b2bab0770070c3d6ba7254128d7eb3d1cae45c58cf266
- SSDEEP
  
  3072:o/jTv/fmKGte1zKjNv0+3hxW1LfqFBt1bURl/iu9pXKnfrD:QTv/fmKGtekO+3Tt1b2394D
Score

1^/10
behavioral3 behavioral4
- Target
  
  MSBIND.DLL
- Size
  
  76KB
- MD5
  
  195fe2c984e8d827b862672b0f4761e4
- SHA1
  
  ad4f27638c2fea85c89c103be71ad3465be8e3c4
- SHA256
  
  6120a0e85b95a02a8c8484f98936ee8ddf70f612554f3a7f1bd340b41aa42f62
- SHA512
  
  09b31f9b84380dbeba239d7aad62efc76a304b91b12f349827d069c25c5937b49ad68eb35279b956dbf3678e36ee8806ffcd54dce67bb39ed3359312dcbd9e36
- SSDEEP
  
  768:AarHIOwaS3/CKIrw2e4y8D38L5WFgkdshd8mDJYjAL/ywykErZXa8Jcs:Xhx99ya38VijOX/ywJIZXaSZ
Score

1^/10
behavioral5 behavioral6
- Target
  
  MSCOMCT2.OCX
- Size
  
  629KB
- MD5
  
  8facb683ecab70fb85b26683f9c742a3
- SHA1
  
  abb30706e49e6fb34b7e15ba154e3ada596c95ec
- SHA256
  
  8204b2913504c9c921b551d2b028c0171fe11c3ee38db788517830987ba5b126
- SHA512
  
  2e15e8935ce0eb347d1962dc7bdc7273a9991759c19473eed4822479b2286fd27910c95b6a568b57353be80860ef1aa7681c5c469ad252e797d8eaa7205e2caa
- SSDEEP
  
  12288:Cq0LGmVm1qt7k67ySrMFSIRXNOL2K7lqNXCVox+2buPGweLC/KD7lQb3D:T0imVbNkdSmQ2K7lCXi2buHeLC/YO/
Score

1^/10
behavioral7 behavioral8
- Target
  
  MSCOMCTL.OCX
- Size
  
  1.0MB
- MD5
  
  f7bbb7d79adb9e3adc13f3b3c33d3d4d
- SHA1
  
  cacb4b31d22419e6a9ddbffcf61ae42da0d5fb8a
- SHA256
  
  18a83d7a420a17fcb6f56eb3ba5362c975d32e5ded7553c6fd407f07bdb7b006
- SHA512
  
  4870ddbdf283d7f7f64d3f4bf556600a78804f6a94fc2ca7eb778e85d70b6d2d017aa35cbddf773b6a1b6d9a2813cd67fe54ede7859050a254a3e3c05616ae0e
- SSDEEP
  
  24576:mnt4M/pL1wAEIqSBanK6CC33VTj+1R8xRFLqqmbD1kWIAqPA:mPL15EIqS1e6q3FmKbt4
Score

1^/10
behavioral10 behavioral9
- Target
  
  MSDATGRD.OCX
- Size
  
  254KB
- MD5
  
  fa8de5f76ba59bc4190fde2c78401d40
- SHA1
  
  8704a57a8b9f3a55242b9eae710c2645286c6e64
- SHA256
  
  1582418d27088049bb8ce628f87f9243f8e3c949508a69a509f2462de9db943b
- SHA512
  
  5015dbf7c7d6fd8cc147f16d09cfadbbd9a97b028da4b6f6424b74e442358bc605a71c1a9e2e14d40dc3d116403ea5808c88e445c808cbcd434b451ba8a19c1e
- SSDEEP
  
  6144:4IlSW5FgJwxytkYUstwbk1jbubxayEPTPL9rXnK9i1dTlQn7:pj5FgJwzst2ejbecyErL9Yn7
Score

1^/10
behavioral11 behavioral12
- Target
  
  MSSTDFMT.DLL
- Size
  
  116KB
- MD5
  
  182f9ab07e664485cf6365a48c6eb320
- SHA1
  
  2998b03b64ce467d2e0a49a7da6a5d00cc60bfc1
- SHA256
  
  dd128783a1488cb20fca1990ec351b6b5f9feec9303eb40e427e3ec5f5153ae9
- SHA512
  
  33b0015e79c35d5b1c9acb18637709418e5fa424c954e7a42b1d2ac12b5a1d452e5e7c3b874d5f6acb26552457f21cab60ffd599d8927e73ef262227097d1fbc
- SSDEEP
  
  3072:45yxziOUO3nyA1HVrG7qPtvrb60+g/AgSRUqG:45yxzF3TLPrb6btnZ
Score

1^/10
behavioral13 behavioral14
- Target
  
  MSWINSCK.OCX
- Size
  
  105KB
- MD5
  
  9484c04258830aa3c2f2a70eb041414c
- SHA1
  
  b242a4fb0e9dcf14cb51dc36027baff9a79cb823
- SHA256
  
  bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
- SHA512
  
  9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
- SSDEEP
  
  3072:R7ZSBYfkVoFdRrqo0aRaA/HF673+UWHIfrb:RNkVsuaRaU6mHGb
Score

1^/10
behavioral15 behavioral16
- Target
  
  Readme-说明.htm
- Size
  
  2KB
- MD5
  
  3e1c74c278a133757ffa1ebf74ad15ab
- SHA1
  
  6f079812c0849e5bbefc9859f6a3f910741a9e46
- SHA256
  
  bfd1e75f4964c66ad33eaa2cba34b0d2f97135c7a3e336a3962fd3cc6a473347
- SHA512
  
  1543398f870cc5f6f32120c5fe441ba9a1fe56d0304c1b3ec03d31fe7ce431507424ef737501d39fdf42acbadf15d0672b5ced06483361abcbf208835d43be71
Score

1^/10
behavioral17 behavioral18
- Target
  
  jmail.dll
- Size
  
  315KB
- MD5
  
  4af612fbff91936fb2f780ea5ca307cf
- SHA1
  
  5fbc771ba729b7717278502838ac879322e2c18f
- SHA256
  
  7aca4b4e58c8092addfb1a56c665827ff04168562f6a6303d21b60e606af875f
- SHA512
  
  3863319881675dd7c42958a25af8cfcabe6f5fb5498e2f40efafe937f1d245d4da57a5e1bbc23f471fb1dff4c330938eb1d25775a2e7ca01fb75938c8d0ac9ee
- SSDEEP
  
  3072:yezWpGOdJXncK5FLCVMZVDtkOPwSYpAHYzxTDtbWzLaSxRW4bGtVHq1ySe6gVvvm:ah5FLZVDtkObHYl99WQlHq4OgVvv4
Score

1^/10
behavioral19 behavioral20
- Target
  
  run.exe
- Size
  
  107KB
- MD5
  
  9600799c1b9ef711c48967fe354ef57c
- SHA1
  
  10bbd5671d071c66e5a1c81d3f23b3be18d37f12
- SHA256
  
  1e8cb74780f21ae6c11504f04cf084acfc4ef6a73cfa12e3bb8ce423c55cdae3
- SHA512
  
  94037e08596bc60d8541b249a655b4aa16724727415a7672879699b29db0c70d1b3064cd20fd3cc50ae5ee2b1baf9d36b93b2f1f57a2afd5fcbbc2096210b1b3
- SSDEEP
  
  3072:Rt6XkomyxsPRRf9joJFWZCZ1UTpO2BAsq+Bxa/2CGwp4jqR:Rt6XkomyxsPDf5oJFWZUO82G57/2CGw5
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Drops file in Drivers directory
- Sets DLL path for service in the registry
  persistence
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
behavioral21 behavioral22
- Target
  
  yuren2008.exe
- Size
  
  352KB
- MD5
  
  6c633875ebe2924b612b5bb6e9e0316a
- SHA1
  
  04b4d98a92d3ec21c2ff0f8c1eb80b5fcb52c91a
- SHA256
  
  a844b97d833b2c883059c07b219f3b8ec043b3f8fd8331a3f6dfc9bc3294cc14
- SHA512
  
  de1dfbab32a3ab03977907cf4464e2c0af52b160471d165796b35013336924bd2756f1c13a3462b5596b5964819bbcea763b62175f5770387552ccea2191ab9e
- SSDEEP
  
  6144:C/pFlIeCoohSQlOG4EzCxVZ6SyLiSNVy3ETtxPHkZ5AI9E2FLYi7N7H2CpnzNw1F:UjIeC5kGADyLHNVtT7k9qCk0N7Hnnwoo
Score

1^/10
behavioral23 behavioral24

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Gh0st RAT payload

Drops file in Drivers directory

Sets DLL path for service in the registry

Deletes itself

Loads dropped DLL

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24