gh0strat | 1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403 | Triage

Submit
Reports

Overview

overview

Static

static

1

1bfa758fb9...03.exe

windows7-x64

1bfa758fb9...03.exe

windows10-2004-x64

Sharing

General

Target

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403
Size

236KB
Sample

221128-m7sjcadf4x
MD5

3d80e6a989ea622e375699511f4d5dee
SHA1

964cd3555cb021285fc003f1476b2025097a56e5
SHA256

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403
SHA512

012c2eec7c84c6a0a90a02a2307a5a560e19502f10e73af1ffc82903282fdf0eb25d1b2959662095c9857ac778b214f8a8e54319160598e3c6ec49d26bcff98a
SSDEEP

6144:dQqjB8lD9jRWWPSRf5lRuGMJnuDoVg5cXa54CtrINR0A:WlFR3Yf5l2uMVg5cXl6rBA

Score

10^/10

gh0strat discovery exploit rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe

Resource

win7-20220901-en

gh0strat discovery exploit rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe

Resource

win10v2004-20220812-en

gh0strat discovery exploit rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403
- Size
  
  236KB
- MD5
  
  3d80e6a989ea622e375699511f4d5dee
- SHA1
  
  964cd3555cb021285fc003f1476b2025097a56e5
- SHA256
  
  1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403
- SHA512
  
  012c2eec7c84c6a0a90a02a2307a5a560e19502f10e73af1ffc82903282fdf0eb25d1b2959662095c9857ac778b214f8a8e54319160598e3c6ec49d26bcff98a
- SSDEEP
  
  6144:dQqjB8lD9jRWWPSRf5lRuGMJnuDoVg5cXa54CtrINR0A:WlFR3Yf5l2uMVg5cXl6rBA
Score

10^/10

gh0strat discovery exploit rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratdiscoveryexploitrat

behavioral2

gh0stratdiscoveryexploitrat

© 2018-2024

Terms | Privacy