gh0strat | 2c6f5bffa8066d7d486735adb6ccc78654f487edd5ebeba5e043eb0db3cf6ae4 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

46062feff1...8a.exe

windows7-x64

46062feff1...8a.exe

windows10-2004-x64

Sharing

General

Target

20320bd328c8a9ab7ebacd0b7827c742.bin
Size

231KB
Sample

230828-bebjksec36
MD5

8909a35416f19648660df9e7e0508179
SHA1

888fc50ce6c6b43815ce09a5f0dc11a795caa41c
SHA256

2c6f5bffa8066d7d486735adb6ccc78654f487edd5ebeba5e043eb0db3cf6ae4
SHA512

72ed40cc03e4fc5b72bc9959e12ae3576c5f4e5c5e828defd8e50800dcc119397635352b5cf56ac9178b801135b7a45e036f9f2213b9453d14283e41cfc685e7
SSDEEP

3072:j6R2YZ8JeBnIv8gSZRNV2rNToOJKZ7JC0e/HJaQVCr607sQsKQa51yx846e+9:jc2wpGDSTsOOJs7JCJRaCA60ulNW4Nq

Score

10^/10

gh0strat persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe

Resource

win7-20230712-en

gh0strat persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.exe

Resource

win10v2004-20230824-en

gh0strat persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a.bin
- Size
  
  524KB
- MD5
  
  20320bd328c8a9ab7ebacd0b7827c742
- SHA1
  
  8a66676b0a4926a9525630f6b4ec7a106db3e27f
- SHA256
  
  46062feff144c57dfdb69096b765be5b2e6e7fa3493cf0669b7163acbc51c48a
- SHA512
  
  151a1d9db7f4162417e0f0bedd21d2442d16330003466b76d1055d099360262f0e4f72411125fda2302c531d2845e3ea620aeea3616c5172dcb194fef276a646
- SSDEEP
  
  12288:KQb8e55GXwhEIGmcuRrv0CbU4j0ARGohKRjP7Kt+V7UB1ZSQCVmzdditQxL5NLlg:L5pKpOd/GTV5nJ
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat

© 2018-2025

Terms | Privacy