gh0strat | 304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee | Triage

Submit
Reports

Overview

overview

Static

static

1

304b22f1b5...ee.exe

windows7-x64

304b22f1b5...ee.exe

windows10-2004-x64

Sharing

General

Target

304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee
Size

1.8MB
Sample

221129-s3hq8sfc6y
MD5

5e4e6beee345bc64fb79b527f24cbdbb
SHA1

eb09e2cac1201f6859a2a32617c38ca8ca3e29dd
SHA256

304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee
SHA512

011758622d12280a9ea6d51874fd108294c54f2554996a480b24d6e6ba4ab1e848612b16fda0ba6b0ec2e1450b1a18cfc064400245e103ae8714a7c389095c97
SSDEEP

49152:bpobWsin5UdSluJGOjft7sEFF5fSJbTwU9rT4nRmzD2rlWT:dobQ5uSrOjfi454bTwizDxT

Score

10^/10

gh0strat rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe

Resource

win7-20220901-en

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee
- Size
  
  1.8MB
- MD5
  
  5e4e6beee345bc64fb79b527f24cbdbb
- SHA1
  
  eb09e2cac1201f6859a2a32617c38ca8ca3e29dd
- SHA256
  
  304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee
- SHA512
  
  011758622d12280a9ea6d51874fd108294c54f2554996a480b24d6e6ba4ab1e848612b16fda0ba6b0ec2e1450b1a18cfc064400245e103ae8714a7c389095c97
- SSDEEP
  
  49152:bpobWsin5UdSluJGOjft7sEFF5fSJbTwU9rT4nRmzD2rlWT:dobQ5uSrOjfi454bTwizDxT
Score

10^/10

gh0strat rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2024

Terms | Privacy