gh0strat | b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c | Triage

Submit
Reports

Overview

overview

Static

static

7

b7b051aa23...8c.exe

windows7-x64

b7b051aa23...8c.exe

windows10-2004-x64

Sharing

General

Target

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c
Size

579KB
Sample

230609-x7lqxadb59
MD5

fae10d3f91a9871b3b3379da6c61281e
SHA1

38703aac5334eb253f6604a3e0aaf5ed3187c7c6
SHA256

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c
SHA512

cf2d75c29d8e67227d4b3a2f51e5ab56d5080b0777df09e53d062d2ccafc2c74371fe4576c183d23d18d0a32e4a0961cfb58e14bf380dec6212e5a827bb875b0
SSDEEP

12288:zjwRywaO11fKZxRUeTTONFWTeinNFK0VIa9D5hJRqiNYbwPxN:IRzayKZse32DinNki9hfvNYbwPX

Score

10^/10

gh0strat aspackv2 rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

Resource

win7-20230220-en

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c.exe

Resource

win10v2004-20230220-en

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

125.77.168.216

Targets

- Target
  
  b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c
- Size
  
  579KB
- MD5
  
  fae10d3f91a9871b3b3379da6c61281e
- SHA1
  
  38703aac5334eb253f6604a3e0aaf5ed3187c7c6
- SHA256
  
  b7b051aa2386491edf22fe4f3efa41015360da7d57784110e9eb4fefcc389a8c
- SHA512
  
  cf2d75c29d8e67227d4b3a2f51e5ab56d5080b0777df09e53d062d2ccafc2c74371fe4576c183d23d18d0a32e4a0961cfb58e14bf380dec6212e5a827bb875b0
- SSDEEP
  
  12288:zjwRywaO11fKZxRUeTTONFWTeinNFK0VIa9D5hJRqiNYbwPxN:IRzayKZse32DinNki9hfvNYbwPX
Score

10^/10

gh0strat rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2024

Terms | Privacy