gh0strat | 963ed0909e317cbef3063bb417ecab92d3b95c4577409f1745cf5f81cffee318 | Triage

Sharing

General

Target

5f74df5871972c90f0404802c3cbc5ee.rar
Size

287KB
Sample

240106-l93lnaddhl
MD5

5f74df5871972c90f0404802c3cbc5ee
SHA1

d2401e9343a3acd37bb2b98d0afd11302cfb4891
SHA256

963ed0909e317cbef3063bb417ecab92d3b95c4577409f1745cf5f81cffee318
SHA512

e6f797dbf99332e8231ce1061f0bc63413facbc208939f362713871427c047b823ba9304435257c3a381b59d90cbd5021962236b4c44558b5580d4b3148e502d
SSDEEP

6144:F2UJVwAc+kifLAwqNACzrGfLh1RmqifzwBvjH1c+qhFu:IUBEaLQhifKfzwnchFu

Score

10^/10

gh0strat persistence rat

Malware Config

Targets

- Target
  
  PCBoost.exe
- Size
  
  291KB
- MD5
  
  8e082840ba73601cf3500b473be9530a
- SHA1
  
  cfaf2f80209bba131ce916610f224718dec4a4a1
- SHA256
  
  f2a842bf291c54705a59e3a4c388310e692ec1608dbfc3c4921b709b2f45193f
- SHA512
  
  16694c951e851533b6088be619f31208e989611c32f3d191c1bc1af6fb76c493874d1b382e56bf748e00210a21d63055c985decc71fff0f3a81adc09551cbe25
- SSDEEP
  
  3072:Inj9jtfU+INndIc0JWo5vmu2bOsmu2bOns8AbphCFUARI0Fx5IlBANTQ9a+mrMnm:IjbeiHibVibws8AujIbAN89RmUhV5sCw
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  SScanner.dll
- Size
  
  109KB
- MD5
  
  674675acce75b610f66c7d5a6f2d8418
- SHA1
  
  75f85a887dbfff5ad150a9d6f20c49addc04e923
- SHA256
  
  1f3a30f4b7fe4e20bbdaa34690f4d9914d3bde2e4ec74ec8c59f06f822685082
- SHA512
  
  317019ed9b021db127b5f5eeb1d13ddf3781205bda9675c516e6622765226372ea1ff61c56a4d8864d74cc7ea7487e41ef6803566c19f022f0a9c7084a4a5751
- SSDEEP
  
  3072:HdnKdjuUEwZ543pE7WQ15hMDpELOzboLZGFxavftx8ng:9nKdjrEwZ543pEqq56e/Mavftxx
Score

1^/10
behavioral3 behavioral4
- Target
  
  uninst.exe
- Size
  
  83KB
- MD5
  
  61bc2c358e49694b01cb4bbac372e137
- SHA1
  
  5edea6110b3fe6fd22ef82469368c694513871d6
- SHA256
  
  76b2b91979ed0a988ecf14e29a7970dfa20667c6b0ae59828009147638ad2bf5
- SHA512
  
  b34a0d1c73803476aaa2a3206bcf1020a3f875031963c1560eb999e24b98363ee381b93e1914a17648b6696d8c219ff2f99ff919a4890d49fe5445ee414f1de1
- SSDEEP
  
  1536:/Px/CJAmx2/W5Ebnto4tmJPYRN6QcIA4lvs1eP/w49g3XTsJLYKq:3x6UW6tpmJPqTP/wQg3XTsJsKq
Score

7^/10
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6