gh0strat | acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a | Triage

Submit
Reports

Overview

overview

Static

static

acba7be5d9...2a.exe

windows7-x64

acba7be5d9...2a.exe

windows10-2004-x64

Sharing

General

Target

acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a
Size

152KB
Sample

221128-gj7qgaef6x
MD5

553704745f569ee423914de4067db62a
SHA1

c5cc3b31d96851ca2402cce1aa0da5764af2d1a3
SHA256

acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a
SHA512

e5146f98621c8c2ff84468c650e2d07bcc57a171e1bd99e28381ae2e0af23e6080cbde91455be1fb233a3c833d3e7a33944c40717ce2bf54aea8dc4302118a3a
SSDEEP

3072:LwF8T0PAmr9B4NgVjGt1rOikGML7oCmFZKnbmLLLUZ:8FCqxB4Ng9GLjcoCmFJLXUZ

Score

10^/10

gh0strat persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe

Resource

win7-20221111-en

gh0strat persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe

Resource

win10v2004-20220812-en

gh0strat persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a
- Size
  
  152KB
- MD5
  
  553704745f569ee423914de4067db62a
- SHA1
  
  c5cc3b31d96851ca2402cce1aa0da5764af2d1a3
- SHA256
  
  acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a
- SHA512
  
  e5146f98621c8c2ff84468c650e2d07bcc57a171e1bd99e28381ae2e0af23e6080cbde91455be1fb233a3c833d3e7a33944c40717ce2bf54aea8dc4302118a3a
- SSDEEP
  
  3072:LwF8T0PAmr9B4NgVjGt1rOikGML7oCmFZKnbmLLLUZ:8FCqxB4Ng9GLjcoCmFJLXUZ
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Blocklisted process makes network request
- Sets DLL path for service in the registry
  persistence
- Sets file execution options in registry
  persistence
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat

© 2018-2024

Terms | Privacy