gh0strat | 22503a27c8bd1299e67f484b0c750276323d5a97b9dd45e1da7a935fe377ec1e | Triage

Sharing

General

Target

Malz2.zip
Size

1.2MB
Sample

230327-ld38baeg4w
MD5

654152a72f0675390037696f07a2cff0
SHA1

301b458d91f832caf71cedbb5fd58231f82c7275
SHA256

22503a27c8bd1299e67f484b0c750276323d5a97b9dd45e1da7a935fe377ec1e
SHA512

a6cdbd8a0c46e1bc4522b9feda09aadae4625ff1911ae1934ea26bc97660810f62ff76b12ff7cd84d421856e93ae9ec69906f99c99f4e9db90702ffea89924be
SSDEEP

24576:IY3DYKwClIJ26eoyo5tRTc427AHK51fLl8L+dKm/mTkLSmZQ:r3zwCMeobta8HK5hWL+dKm/mTAHQ

Score

10^/10

gh0strat linux persistence rat upx

Malware Config

Targets

- Target
  
  1.exe
- Size
  
  103KB
- MD5
  
  4a953a639593adb97eacef0e3992b818
- SHA1
  
  ecf5ae2648ec0660c82912c0fd6ecc7fbfab9df2
- SHA256
  
  f3ea4dfbb6a31ba417d3e9caa90159e0e786226743a7b5ed04701f847054366f
- SHA512
  
  ea701c6474dfa1d910c5c3abbfa01e615bab73521f841eb15b9d76488cff6e6aa33caff4c7c65bfc97f8ff47e06e17e9979cd0ff305fd18aed76729500822e3b
- SSDEEP
  
  3072:d1Gqq3S4eaIv3RcX00sQJS+a/u/uLx0By:d1Gqq3LeRChsQQ+a/x0By
Score

7^/10

persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  Fallen.exe
- Size
  
  11KB
- MD5
  
  1423f94092ba6a80ec571748e08d396e
- SHA1
  
  3839e76d9f01f9a92304cab21aa130f5800f71d2
- SHA256
  
  f595233fa17f4f280bd88b012419652b8d11f086ccc497ab5c796eba39498e60
- SHA512
  
  197fb512e2ee4d4cd3bf499e70a1ffda8e107efc6e6a354622448b7dac575701d6f2288df97db568df7e27e780750bc4c3337ffc869adffbd21b013c69aba18f
- SSDEEP
  
  192:lWSZPpGh+GERpCJv+A3zBEZJ/zauVGBch+OLK72Qeo9cfFBKCJ8N:EyPpoUCJv+G9En/zauVy0+372QB9YJU
Score

7^/10

upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  Inte.exe
- Size
  
  56KB
- MD5
  
  1ea2c756a0f0528d2e80ab204aa9de0b
- SHA1
  
  44177c8b4959a3b84ae65a5ea724a8e409b3dec1
- SHA256
  
  6d77d544364cdfaebd7252d14091653c903d0a11c34bddad60f5951da257a651
- SHA512
  
  ecaa88ae3a0b51ba9320870a6b7172a3f02c466571d79f7536ee3b557da14f0b268be39cc3fbeadae79f3de33d816a59737efdc7ce11d322d4891c82421d1de5
- SSDEEP
  
  768:KaYYkgyowxPDvHzWpHPhh+RT26A6PhSDFPlkFUHHnOsv7uZYDl:KaYYkgyowxbeHPyRT2wZSZPbnO9Wl
Score

7^/10
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  LX64
- Size
  
  226KB
- MD5
  
  fd9a0b5c4dbe2a05f00ac465bc5017d3
- SHA1
  
  f0a22333edda7b2ec3b9f86672bb3ec532843d9e
- SHA256
  
  8e0fc7bab60b9f3c02304b5fccc0ed323d9898c58c18e530975370f667553b87
- SHA512
  
  8f756cfe58df2d6407e21eb71087c775f42cebbee3b4e8ec676a812cc811e82bd82a5c6ed98ec709f97bc8e6a5bb5fdaab534e43c4e39259d92d36b4e551165e
- SSDEEP
  
  3072:DD6WcFtC7hUQWuhPXpvkZ/2UnIftD+zOXJreXNqRs8Ef60iqcqWJ7TDUlAD5JnJN:DD6WcFtC7hhNJpcZ/2Cm7SSYly7
Score

1^/10
behavioral7
- Target
  
  Server.exe
- Size
  
  96KB
- MD5
  
  bfd0dcf57209068cc25907ff8ddc17e1
- SHA1
  
  8b913990c8691231e1d8e249d6d7f9a59b85dc1e
- SHA256
  
  8a16390f705599cacaba51ccf440f7f0a8320e614f71710a594312756788b28d
- SHA512
  
  8a2838fd69419a249a37b7569a7c0333e8c36a71df0dc7b8ea414f87392b42e885bcd3fc41b6bda181c6f69d98a5a5367d06b8ff6c7d3e577ea4d2581c2bfe09
- SSDEEP
  
  1536:GRtxXnig5/VUJyWryEXe8T1g6hypxc/lkJ5jj1fV8cGDmtB:GhN5/VmbTC6hyQ/OJRj1V8cGCtB
Score

7^/10
- Deletes itself
- Executes dropped EXE
behavioral8 behavioral9
- Target
  
  hfs.exe
- Size
  
  153KB
- MD5
  
  0141d6e9b3db978d2cdc5883072f3cd9
- SHA1
  
  7ce852893dca1e2dc29d8d85d7e9f75e553a5cc4
- SHA256
  
  d878062dcb702d9734e5c4c0da92e8765baccc123249a4e14e44179d4299c29f
- SHA512
  
  cf472db8a6c7bea41f339d4e6ea2ede97c06b85d3e53d44c1bb837c44a9fe5f6b0a412efceea0031fb37ed0448bd2c4a890aebb9bd113a9b5cf3fcd186ce4b3a
- SSDEEP
  
  3072:EFQ7qD+UBjvu9GrUvUy6ApRrlsbJIpYQVFdLkR2ZmYhM:Ecm+8jvtrNApRQIp/FdpZmYhM
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Adds Run key to start application
  persistence
behavioral10 behavioral11
- Target
  
  hfs_1.exe
- Size
  
  153KB
- MD5
  
  8d1d6e7c36bc9c97338a71c862dc52a0
- SHA1
  
  ea0cd6c2983a4fda97302cf338b3fbac20a3cc1e
- SHA256
  
  636f404892310f7f7cbffd013d5ebd5895b309af2b0bb18814e52c5548e4d4a6
- SHA512
  
  fe89091867ddfb2e9b8a94edaf5c5d56d61fffa5dd9f604013ebfd19498625d5d0a8c7db0ae4c215bbe00c2c6682a90137abc91de24c89d16dbcd0f961194923
- SSDEEP
  
  3072:EFQ7RD+UBjvu9GrUvUy6ApRrlsbJIpYQVFdLkR2ZmYhM:Ecd+8jvtrNApRQIp/FdpZmYhM
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Adds Run key to start application
  persistence
behavioral12 behavioral13
- Target
  
  hg
- Size
  
  1.3MB
- MD5
  
  e0b7ef909e9d250091cb94a9b01ad518
- SHA1
  
  f3025ec3f4bbf646e074d99b19183dfeeae9523f
- SHA256
  
  9b18009e4a989930dea9f8e578a955cd29d013e7a544c14f9017ecb73c6382fb
- SHA512
  
  a8aaae0c3c2dc1a84b5f6e65223139d4c210a400e4e7295459600339acbd4d9763d95811b37ee30e122e215a574620312378e4aaac3776d33f5b64bae16adcf5
- SSDEEP
  
  24576:X8BHnVsZc1VZneCEuvLmJ7p9fomAmgAspprQYlGtmgmH1LJSwYS3uJdA0cG/v5FH:YHnVec1VZnezuvLmJrfvAmgAspprVlGV
Score

1^/10
behavioral14
- Target
  
  java
- Size
  
  664KB
- MD5
  
  b2837a8ea0f460bd070d4bf6d919ae70
- SHA1
  
  97dfe39e3ac9db019020713165c062181cb80884
- SHA256
  
  64a10bdbf0784869fb4b1d2f27a1a3694ec9252e1fd13bca355c3ed9b9a7a8f4
- SHA512
  
  a90d8776cfe1926066c73090cd0716538d243b9964673b87af7a08343c9a89e729bdbf3fed8bbf65297a191b262d0c7278f817a29cc7beee19a1fbc4b63d5132
- SSDEEP
  
  12288:DD6WcFtC7hhNJpcZ/Y2SkgT4KUAoBjmhDO2Aani4XgQQU6T86+uAf4Nzbmk:hNJp/2SkgT4KUAopmhDO2Aan9XgnU6tx
Score

1^/10
behavioral15
- Target
  
  moren.exe
- Size
  
  153KB
- MD5
  
  546cadaef5b11149fa02b146dfa0b830
- SHA1
  
  07b8527cc5561481d1e25842bd1ab3182684df4a
- SHA256
  
  05feb29bad25082dc351921f867287084275915c41fe242c47f21644d7a54558
- SHA512
  
  f1d8f618cbf9599f3efda6333b09d51f472d5f3a83d67ac04549084be787d522e3ece6272ff91322312252608ce8c69080e09dd4c52b9412489e7cf8459b79e0
- SSDEEP
  
  3072:EFQ7cD+UBjvu9GrUvUy6ApRrlsbJIpYQVFdLkR2ZmYhg:Eco+8jvtrNApRQIp/FdpZmYhg
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Adds Run key to start application
  persistence
behavioral16 behavioral17

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

gh0stratpersistencerat

behavioral11

gh0stratpersistencerat

behavioral12

gh0stratpersistencerat

behavioral13

gh0stratpersistencerat

behavioral14

behavioral15

behavioral16

gh0stratpersistencerat

behavioral17

gh0stratpersistencerat