gh0strat | 7a44b15786cc731bc1bca9a1765bb4997ac7fce3c684ae1aa5dcd18e686936fd | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

3f716c25e7...e5.exe

windows7-x64

3f716c25e7...e5.exe

windows10-2004-x64

Sharing

General

Target

3f716c25e7df8ce2fc0274e25020e9e5
Size

124KB
Sample

240104-ax2caafgh7
MD5

3f716c25e7df8ce2fc0274e25020e9e5
SHA1

5db0dc65a755898203c110bf139f677fe61be3e1
SHA256

7a44b15786cc731bc1bca9a1765bb4997ac7fce3c684ae1aa5dcd18e686936fd
SHA512

1b9bd43d3c7c774ce54a25430ccd87ee2e81dc3537e1917eb44712e80114bfbd12d7fc5cc4361d2e3a21433aa15cf9529cdf927d85150b82ad3225db074f1adc
SSDEEP

3072:sswzCxfRbmdkIXs2+4fiKwjsb1Fe4U8Q2aSn95:+zwdmdtX/KKWsb1pYs95

Score

10^/10

gh0strat persistence rat vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

3f716c25e7df8ce2fc0274e25020e9e5.exe

Resource

win7-20231215-en

gh0strat persistence rat vmprotect

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

3f716c25e7df8ce2fc0274e25020e9e5.exe

Resource

win10v2004-20231215-en

gh0strat persistence rat vmprotect

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  3f716c25e7df8ce2fc0274e25020e9e5
- Size
  
  124KB
- MD5
  
  3f716c25e7df8ce2fc0274e25020e9e5
- SHA1
  
  5db0dc65a755898203c110bf139f677fe61be3e1
- SHA256
  
  7a44b15786cc731bc1bca9a1765bb4997ac7fce3c684ae1aa5dcd18e686936fd
- SHA512
  
  1b9bd43d3c7c774ce54a25430ccd87ee2e81dc3537e1917eb44712e80114bfbd12d7fc5cc4361d2e3a21433aa15cf9529cdf927d85150b82ad3225db074f1adc
- SSDEEP
  
  3072:sswzCxfRbmdkIXs2+4fiKwjsb1Fe4U8Q2aSn95:+zwdmdtX/KKWsb1pYs95
Score

10^/10

gh0strat persistence rat vmprotect
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Drops file in Drivers directory
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistenceratvmprotect

behavioral2

gh0stratpersistenceratvmprotect

© 2018-2025

Terms | Privacy