gh0strat | d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e | Triage

Submit
Reports

Overview

overview

Static

static

3

d602b58af0...1e.exe

windows7-x64

d602b58af0...1e.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e
Size

2.5MB
Sample

231120-epvxradf97
MD5

7f1cf479b6aa478a890f97990ee79a51
SHA1

e64846493a16d7785e4de4aa58d436ed7b419c2c
SHA256

d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e
SHA512

1475585b2a4b4662cd3e227c627e6f740b30198a102b6a9af7fa9f04d257f6603c6198fc101239016577c1e4ec8bb28dcc384bf788db7d5c6b58e4bffadd57b6
SSDEEP

49152:Sd4n+zgsFd7Cgc/wgjyxzfV/3CEz4KJmg7657qwnu3glU7dTu:dCgs2KJmg7692OUE

Score

10^/10

gh0strat rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e.exe

Resource

win7-20231020-en

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e.exe

Resource

win10v2004-20231020-en

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e
- Size
  
  2.5MB
- MD5
  
  7f1cf479b6aa478a890f97990ee79a51
- SHA1
  
  e64846493a16d7785e4de4aa58d436ed7b419c2c
- SHA256
  
  d602b58af05fe8fd29ac7293b493ced48232ae2a19423f3f8f8db8cfd541c11e
- SHA512
  
  1475585b2a4b4662cd3e227c627e6f740b30198a102b6a9af7fa9f04d257f6603c6198fc101239016577c1e4ec8bb28dcc384bf788db7d5c6b58e4bffadd57b6
- SSDEEP
  
  49152:Sd4n+zgsFd7Cgc/wgjyxzfV/3CEz4KJmg7657qwnu3glU7dTu:dCgs2KJmg7692OUE
Score

10^/10

gh0strat rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2025

Terms | Privacy