gh0strat | d12c43c0a56e3bf52c7bd21804b4c3c4aae462eb77488b76bd51c3a9c0c208c5 | Triage

Submit
Reports

Overview

overview

Static

static

d12c43c0a5...c5.exe

windows7-x64

d12c43c0a5...c5.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

d12c43c0a56e3bf52c7bd21804b4c3c4aae462eb77488b76bd51c3a9c0c208c5
Size

734KB
Sample

221203-jp5jeaah8v
MD5

34830c5d4f7c790947f463fef7a295ac
SHA1

e64e46eab2cf1d4c682c698a965e64931f9d6ec5
SHA256

d12c43c0a56e3bf52c7bd21804b4c3c4aae462eb77488b76bd51c3a9c0c208c5
SHA512

5c8f42b404ef8fe25127a221543a9a22c4d8865881b8bbf5348f859a2af0fb6a8ec05738e37fea13f573647f148e77cd87f4584059c86629f48b78fd586d2dd2
SSDEEP

12288:8Q/xGfGdQU1vE/Cnkwe50TOm/NqAJrAiP5L6tUuZqmpykdsR8C+QhVdPfM5gtE2c:8QEGtc/CnC50Jl6tUuZqeyiQhrnfrtEM

Score

10^/10

gh0strat evasion persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

d12c43c0a56e3bf52c7bd21804b4c3c4aae462eb77488b76bd51c3a9c0c208c5.exe

Resource

win7-20221111-en

gh0strat evasion persistence rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

d12c43c0a56e3bf52c7bd21804b4c3c4aae462eb77488b76bd51c3a9c0c208c5.exe

Resource

win10v2004-20220812-en

gh0strat evasion persistence rat

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  d12c43c0a56e3bf52c7bd21804b4c3c4aae462eb77488b76bd51c3a9c0c208c5
- Size
  
  734KB
- MD5
  
  34830c5d4f7c790947f463fef7a295ac
- SHA1
  
  e64e46eab2cf1d4c682c698a965e64931f9d6ec5
- SHA256
  
  d12c43c0a56e3bf52c7bd21804b4c3c4aae462eb77488b76bd51c3a9c0c208c5
- SHA512
  
  5c8f42b404ef8fe25127a221543a9a22c4d8865881b8bbf5348f859a2af0fb6a8ec05738e37fea13f573647f148e77cd87f4584059c86629f48b78fd586d2dd2
- SSDEEP
  
  12288:8Q/xGfGdQU1vE/Cnkwe50TOm/NqAJrAiP5L6tUuZqmpykdsR8C+QhVdPfM5gtE2c:8QEGtc/CnC50Jl6tUuZqeyiQhrnfrtEM
Score

10^/10

gh0strat evasion persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratevasionpersistencerat

behavioral2

gh0stratevasionpersistencerat

© 2018-2025

Terms | Privacy