Extracted

• • Target

    7b09a034acfc60880a8ac2b18607c2e779d3a26efea582e4bd3b11855ff25319

  • Size

    2.0MB

  • MD5

    8a8bae0edff69be55dced29e7e4736fd

  • SHA1

    d0a99191c475a206274881babf166d15c5e447fa

  • SHA256

    7b09a034acfc60880a8ac2b18607c2e779d3a26efea582e4bd3b11855ff25319

  • SHA512

    dfa085019fa2e9e8a5abe132aeb00d163ec4cb6968616efbddfc19b7ca41a06f689f6f3fb051c5271f842e70cb1abd5c007af2423fee9de993f6a3217082e2f5

  • SSDEEP

    24576:ary2uXzm2yMmiYsdVTiVH7lDIRUZseADfajnQwsr6oom0PfPa3YG2MRRx4K5ZKDr:aunMrH7NaDfTtoVpTMRx5u5smsD7v+

  Score

  10^/10

  gh0stratrat

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • Modifies RDP port number used by Windows

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  behavioral1behavioral2