gh0strat | deb537f731d2d316a688b0b47a6019772d1f2720e00bf3cf3c830eb2130e0046 | Triage

Submit
Reports

Overview

overview

Static

static

deb537f731...46.dll

windows7-x64

deb537f731...46.dll

windows10-2004-x64

Sharing

General

Target

deb537f731d2d316a688b0b47a6019772d1f2720e00bf3cf3c830eb2130e0046
Size

137KB
Sample

231012-xcnl1sgd21
MD5

cc2d3beeac14ed23a22322d10421698a
SHA1

cd6e92f037f2953adcc0c15e6e6a63e025ad118f
SHA256

deb537f731d2d316a688b0b47a6019772d1f2720e00bf3cf3c830eb2130e0046
SHA512

1658b74eca7e151a4cefc001723f3ac27579445a04346344ac4fc785df5ea1a93c9c98d349015ac3728561477fc93f90dc0c902c425e3a9134dc87dc10d6c68d
SSDEEP

3072:kUDBHy4BBy6eFJrmmIewRxM5JSQcqj3G/EAeq:k0yB6oJrcRWQ/qj2EL

Score

10^/10

gh0strat discovery rat upx

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

deb537f731d2d316a688b0b47a6019772d1f2720e00bf3cf3c830eb2130e0046.dll

Resource

win7-20230831-en

gh0strat discovery rat upx

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

deb537f731d2d316a688b0b47a6019772d1f2720e00bf3cf3c830eb2130e0046.dll

Resource

win10v2004-20230915-en

gh0strat discovery rat upx

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  deb537f731d2d316a688b0b47a6019772d1f2720e00bf3cf3c830eb2130e0046
- Size
  
  137KB
- MD5
  
  cc2d3beeac14ed23a22322d10421698a
- SHA1
  
  cd6e92f037f2953adcc0c15e6e6a63e025ad118f
- SHA256
  
  deb537f731d2d316a688b0b47a6019772d1f2720e00bf3cf3c830eb2130e0046
- SHA512
  
  1658b74eca7e151a4cefc001723f3ac27579445a04346344ac4fc785df5ea1a93c9c98d349015ac3728561477fc93f90dc0c902c425e3a9134dc87dc10d6c68d
- SSDEEP
  
  3072:kUDBHy4BBy6eFJrmmIewRxM5JSQcqj3G/EAeq:k0yB6oJrcRWQ/qj2EL
Score

10^/10

gh0strat discovery rat upx
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratdiscoveryratupx

behavioral2

gh0stratdiscoveryratupx

© 2018-2025

Terms | Privacy