gh0strat | 2166039dff43718f7ec551e93353c1c439a5299a9afdad6286ea6e3054ae7f0c | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

5637b80c6d...09.exe

windows7-x64

5637b80c6d...09.exe

windows10-2004-x64

Sharing

General

Target

5637b80c6dfa6a096df3684c7fcf0309.exe
Size

888KB
Sample

230422-mzjlgaed98
MD5

5637b80c6dfa6a096df3684c7fcf0309
SHA1

bb9feca97658ba25e31677f7844692ef4b9d9e63
SHA256

2166039dff43718f7ec551e93353c1c439a5299a9afdad6286ea6e3054ae7f0c
SHA512

4d85f9d1903569434907fff75b2bc48c13e609d0429f521411de968e5ac05e940ed0cd6c201f8df47fd18d9d863a892ac11a38b29f18ca12e333da9a969a0f75
SSDEEP

12288:WXwncX7nekNJyECJlBfsyiSLb0b3w99n/3GYECzqFwdFslbDeYFKi8xlzxrC5VB:WXccFnyBflRb0s99nJADv0Vjl

Score

10^/10

gh0strat rat vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5637b80c6dfa6a096df3684c7fcf0309.exe

Resource

win7-20230220-en

gh0strat rat vmprotect

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

5637b80c6dfa6a096df3684c7fcf0309.exe

Resource

win10v2004-20230220-en

gh0strat rat vmprotect

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

15.cmananan.com

Targets

- Target
  
  5637b80c6dfa6a096df3684c7fcf0309.exe
- Size
  
  888KB
- MD5
  
  5637b80c6dfa6a096df3684c7fcf0309
- SHA1
  
  bb9feca97658ba25e31677f7844692ef4b9d9e63
- SHA256
  
  2166039dff43718f7ec551e93353c1c439a5299a9afdad6286ea6e3054ae7f0c
- SHA512
  
  4d85f9d1903569434907fff75b2bc48c13e609d0429f521411de968e5ac05e940ed0cd6c201f8df47fd18d9d863a892ac11a38b29f18ca12e333da9a969a0f75
- SSDEEP
  
  12288:WXwncX7nekNJyECJlBfsyiSLb0b3w99n/3GYECzqFwdFslbDeYFKi8xlzxrC5VB:WXccFnyBflRb0s99nJADv0Vjl
Score

10^/10

gh0strat rat vmprotect
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratratvmprotect

behavioral2

gh0stratratvmprotect

© 2018-2025

Terms | Privacy