gh0strat | 20d9ea46444df1a7d3aa58fc78b0c28f8266d7cd91b449115e9c8721c27b57a7 | Triage

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 19:22

Sharing

Report Analysis Logs

General

Target

server.exe
Size

125KB
MD5

80a0eb3c8259d7bfcc712019e7bd4689
SHA1

3a46ce36d4d22e4788cc4ea87d5b2734b117f9e5
SHA256

db3f536df70c3f8209af86c878013a7bf537fd4069e083b0f0ccaf30883fc0c8
SHA512

bea5fdad472cccf7d43bb4f6059c4ab1bb795f05d5dfb404eaede4f31f8a9f74e22abb1e311d862564dc9dd003b6bd75f9030375b8552add13e2f3bb00f50a59
SSDEEP

1536:jxLBomTgWM6SibNn8YIaT024cKau2f9d0Dyi+NkXw+mHBkJm60kx8:r4W9Si+YIV24Wug9d0H+aXw+mHBkJmo8

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2372-1-0x0000000000400000-0x000000000041D160-memory.dmp	family_gh0strat
behavioral1/memory/2372-0-0x0000000000401000-0x000000000041E000-memory.dmp	family_gh0strat
behavioral1/memory/2372-6-0x0000000000400000-0x000000000041D160-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
1⤵
PID:2372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2372-1-0x0000000000400000-0x000000000041D160-memory.dmp

Filesize
116KB

Download
memory/2372-0-0x0000000000401000-0x000000000041E000-memory.dmp

Filesize
116KB

Download
memory/2372-6-0x0000000000400000-0x000000000041D160-memory.dmp

Filesize
116KB

Download