gh0strat | 9229bf3c95eefabaf00e4221c0ff71ad3cb8c842a813d8a5816af2b0b15bba06 | Triage

Sharing

General

Target

9229bf3c95eefabaf00e4221c0ff71ad3cb8c842a813d8a5816af2b0b15bba06
Size

3.2MB
Sample

221125-1ch83sgc45
MD5

40aae305af33860e075bf6b4f63051b5
SHA1

911f50f74cdd5851ebbb81843b42856041b53e34
SHA256

9229bf3c95eefabaf00e4221c0ff71ad3cb8c842a813d8a5816af2b0b15bba06
SHA512

e6d74412c77f082b4de50af94af0d52ed89e02f0d2a372b78f30d91cb67373a419f21571c701a79fabfed40b32e90ca67fdbfb277aec71a0210d5ba77558e9c5
SSDEEP

49152:aq/GYM48GPV3AAiSCD2GLgRBMrKIDhP5e7mID3VSr+hWTZtzckj5rlv:aq/4wV382GySrKIDhgJ3VSeWTke5rlv

Score

10^/10

gh0strat persistence rat vmprotect

Malware Config

Targets

- Target
  
  夢魔个人远控GHOST+.3.78美化版/DivXAvi.dll
- Size
  
  31KB
- MD5
  
  1165f2a1b0823abe49b7661a7b020140
- SHA1
  
  26081e4aaa8b1ffc624fe2db56860e2b7692a469
- SHA256
  
  0e6563e748b51815c9af6e6b7c242da99ee633a3408b5b5b8ce14b1c9cb4fcd2
- SHA512
  
  4da6b74d2fa4129b1ae1f6a9e032c5da68aa841376f23ae647aa839c81082d8f330b130f3ede36af1b080a0aaa300da0a59d67fb912c96d687b01f482d3a40b4
- SSDEEP
  
  768:ZEP2MhadWk0jPcZ1Ie+TN44vM74kG3vYc1Iba7ed2t5:ZEP2MawPcZN+TSJ4R5845
Score

3^/10
behavioral1 behavioral2
- Target
  
  夢魔个人远控GHOST+.3.78美化版/MP3Enc.dll
- Size
  
  138KB
- MD5
  
  18230a6d17078ce4009baa99a425ee8d
- SHA1
  
  325984064a90f099e4d603c43ee89efaedc20e3a
- SHA256
  
  6822eb265957868141766320208c08ad85875bf85498eb176ecfd860907682b6
- SHA512
  
  22bb16d168760f40320e66f5c9222fb3dc798c9858699c4dcd293e2ec9380b964ca8d67cf3a95526e165f2dfa7fff8b5487653bdf00a36ce55ead9ceb5041178
- SSDEEP
  
  3072:Tv8PlwZEGazF9YS55qm1bBIqY8iR/sgwcKa2gQRjpp:4+ZwhtIBVuI7MFp
Score

1^/10
behavioral3 behavioral4
- Target
  
  夢魔个人远控GHOST+.3.78美化版/SkinH_EL.dll
- Size
  
  98KB
- MD5
  
  1dd2a4a0f4d21eb65db5895fca2ca489
- SHA1
  
  b0c0617f6f66b35e255ec9824cde41f382a60e80
- SHA256
  
  7a7f037bab8024a9d17fb225cc4aa04133081135ecc4be5bbb889c0fbebd7e0c
- SHA512
  
  214e7aa56e820ebec87a778293871672f7c4e92d06bdf5ba18a2fc536003b2e15ebdce65c1ae3c927a16fcfe865c1720a7262e7a700459c66b4ae563374518ae
- SSDEEP
  
  3072:lpuZ4KjoGDr8uuoP30t7JdjoS6JOe1R8h:SZ4yYoP30t7rDt9
Score

3^/10
behavioral5 behavioral6
- Target
  
  夢魔个人远控GHOST+.3.78美化版/Tool/xp3389.tool
- Size
  
  94KB
- MD5
  
  fda31787845353b9a8518f66288d2779
- SHA1
  
  9e3a0f09a92301fa8dc2e394958df2ad5d879372
- SHA256
  
  828f5c2e6e571f77872219b93d91ad35b237cb5ba11c459f217d304f9c270096
- SHA512
  
  36e8578973993d259a6b5db87e73d62e4fe27994f2339ef4b2f915ffd087664a90627e0eb751f6bdccb7c3aa96f968e59dd9c06298e584b9203b548c8f917611
- SSDEEP
  
  1536:Dszc35cz+VhixNufsomxrsbGAFKh87pZl6nC24Zj4BD1vnE9ZmPmMfKRdpV:Cc35cz+Vhiuf6wrWyZwnC2mKE9sP2N
Score

9^/10

persistence
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Sets DLL path for service in the registry
  persistence
- Modifies WinLogon
  persistence
behavioral7 behavioral8
- Target
  
  夢魔个人远控GHOST+.3.78美化版/Tool/zip/Stubs/lzma
- Size
  
  33KB
- MD5
  
  ed309dfd7026a539a7dbe3222a45086f
- SHA1
  
  523eac449446c5e6724526e197856348305959d7
- SHA256
  
  4bc4823e568aa8975aa04fea8a474b105668e19ec4d49f962f6b849e18b4ec03
- SHA512
  
  a1db1b8112849151c92181a821bb420283f600faea7bc7b2ec1c976349317fb8e5cf95f64341283d8be30c0e6d583ea7e4ec13bf44663b2b350170b6b1e0ad1f
- SSDEEP
  
  768:P4wO7XBz+5Qm3W0tYdrQZHV4EWuWEUOg4jjfS3XJ4ai:wLXB65939tY6HBg4sXJI
Score

3^/10
behavioral10 behavioral9
- Target
  
  夢魔个人远控GHOST+.3.78美化版/Tool/zip/Stubs/zlib
- Size
  
  35KB
- MD5
  
  d05fa54bf1f09272062afe436a912660
- SHA1
  
  29938e09ae8e694cd9ea62f9ba1eff4cfb32691e
- SHA256
  
  7ed4e5b7e696568f64ada79d7622c7a1a3f5afe656d559442d4ff0aacdba4e07
- SHA512
  
  45f8c765bc4b6350a936d19339b23c853a3d12a89ee231dfa5020580089fff49b6b512688bc355bb856088e0dcd4d8d043267f2ce1cccf8915032880fafa043c
- SSDEEP
  
  768:mHJd0TpH2+bQ2dUWVX9Hfv1JMWmtLEJOyuBxG0D3mjfS3XJpai:mpgpHzb9dZVX9fHMvG0D3XJl
Score

3^/10
behavioral11 behavioral12
- Target
  
  夢魔个人远控GHOST+.3.78美化版/Tool/zip/zip.exe
- Size
  
  484KB
- MD5
  
  88dff933b32e512f0e9472fcbb823eee
- SHA1
  
  a470a36ccfe089fbc5749db8f2f0d8bd7d079148
- SHA256
  
  fd706709a0b21eddefeecdd4b9762c38b33ff3b5f6b6bdfbd1e6b314e549b461
- SHA512
  
  cf1f2d6eb2d1cdcacf5d348157497ade89c502633ecfce3fb4894ec4731842def913b6b6c74774c216dff6fa07a21899f436c155541da3d0a2835b59e567d495
- SSDEEP
  
  12288:HH8S09neJVYiouxI5UPsjwMeuP30Is+tJgyHORzLHW3:nR0NeJVnX+UPsjjeGs+tKygzLHW
Score

1^/10
behavioral13 behavioral14
- Target
  
  夢魔个人远控GHOST+.3.78美化版/update/Server.Dat
- Size
  
  98KB
- MD5
  
  911224045dcba1f346fbdd7c06c523aa
- SHA1
  
  121568338ab4cee220cb659a6677a45cb4b7db0c
- SHA256
  
  355bd453f741ec762cc8d59581c18b1e04c1ceeb1b8b6e9ccc42116f30070b7c
- SHA512
  
  1f2f7a95680a055a2ea5aa5004cc931fd7243ec60d2072f6e9b4df42f25c2b82d369b0416cb6cab00775ff2829af96bb8e1a43f7f9befb10cc79b2c25e4e67a2
- SSDEEP
  
  3072:nFFil+VFbe1N9JJuusBBlMPmuf6znw9rzy0SwX:n6m4N9JJzqyyLXty
Score

10^/10

gh0strat rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
behavioral15 behavioral16
- Target
  
  夢魔个人远控GHOST+.3.78美化版/夢魔个人远控GHOST .3.78美化版.exe
- Size
  
  2.6MB
- MD5
  
  0eb7116e688d326570d76552b064e93d
- SHA1
  
  35a4d1f9c53aa0696573af96a28173c6ee961e51
- SHA256
  
  55a139e6f4c5fb4a6779370c2080aa7d684730a8215524f81cf37a3854ae3767
- SHA512
  
  ad4e3562122c67d42ca6d9e997030745bfd51469706ca6f6ca4f39a3a8f436b6882d30d5c53a0d3056bddfd1368794e10a4d130227622fd6f71d7841137d6ff6
- SSDEEP
  
  49152:U66M51oxJrgXaxyyxFMWWymDecmfQeTCdCatlnzTK7a:kMr4JpXxFMWZxtYeOgat9iG
Score

8^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral17 behavioral18

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18