gh0strat | 4b3e07b87319ae9cba488d6dd25932b9e4d7ce499fb4fe643a4f8e2349ccf9c2 | Triage

Submit
Reports

Overview

overview

Static

static

3

4b3e07b873...c2.exe

windows7-x64

4b3e07b873...c2.exe

windows10-2004-x64

Sharing

General

Target

4b3e07b87319ae9cba488d6dd25932b9e4d7ce499fb4fe643a4f8e2349ccf9c2
Size

2.8MB
Sample

230613-yb29fsbc88
MD5

7d363717ff9d31add3c9763e28a02d6c
SHA1

559535de142d7349dbb49675129d0b9c78c74cf0
SHA256

4b3e07b87319ae9cba488d6dd25932b9e4d7ce499fb4fe643a4f8e2349ccf9c2
SHA512

80da70e9fed003db6e70bdb511a1c53fe14bde61dc2ef916a076cc8064fd5d433349574f2d75d90d03c71ffaa7ca5c7c55d3f8f3282f796dc199c32d86cfe27a
SSDEEP

49152:aIPTWN4hEuqgv3BukNbWlZ6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcn:jPTFEurfBP2g3Yz5J/693k+

Score

10^/10

gh0strat aspackv2 evasion rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4b3e07b87319ae9cba488d6dd25932b9e4d7ce499fb4fe643a4f8e2349ccf9c2.exe

Resource

win7-20230220-en

gh0strat aspackv2 evasion rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

4b3e07b87319ae9cba488d6dd25932b9e4d7ce499fb4fe643a4f8e2349ccf9c2.exe

Resource

win10v2004-20230220-en

gh0strat aspackv2 evasion rat trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

125.77.168.181

Targets

- Target
  
  4b3e07b87319ae9cba488d6dd25932b9e4d7ce499fb4fe643a4f8e2349ccf9c2
- Size
  
  2.8MB
- MD5
  
  7d363717ff9d31add3c9763e28a02d6c
- SHA1
  
  559535de142d7349dbb49675129d0b9c78c74cf0
- SHA256
  
  4b3e07b87319ae9cba488d6dd25932b9e4d7ce499fb4fe643a4f8e2349ccf9c2
- SHA512
  
  80da70e9fed003db6e70bdb511a1c53fe14bde61dc2ef916a076cc8064fd5d433349574f2d75d90d03c71ffaa7ca5c7c55d3f8f3282f796dc199c32d86cfe27a
- SSDEEP
  
  49152:aIPTWN4hEuqgv3BukNbWlZ6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcn:jPTFEurfBP2g3Yz5J/693k+
Score

10^/10

gh0strat aspackv2 evasion rat trojan
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- UAC bypass
  evasion trojan
- Downloads MZ/PE file
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

gh0strataspackv2evasionrattrojan

behavioral2

gh0strataspackv2evasionrattrojan

© 2018-2024

Terms | Privacy