gh0strat | e1a5558088d6f241331f2f443e098f8293c14843d580a1e0971dbde7ff2e6c6c | Triage

Submit
Reports

Overview

overview

Static

static

829567da24...8c.exe

windows7-x64

829567da24...8c.exe

windows10-2004-x64

Sharing

General

Target

829567da24356078abb1ff8beb1b53e460cb4f1d67fab2b1d605912b8b7c438c.exe
Size

108KB
Sample

240126-nk8gqacdg9
MD5

98cbe8668a8e12416cb4dd7041ae5a1f
SHA1

2bfea256de980a9faeada753725b9bcb368efcd8
SHA256

e1a5558088d6f241331f2f443e098f8293c14843d580a1e0971dbde7ff2e6c6c
SHA512

54413adf88c300d372f3cfe6c057f204d2a70a714ec84dbe566e2c32475774518c89a584954da6a55e338d0b0e5338456b969f6b472bfab310c44bac32f64d77
SSDEEP

1536:lqEA70HzLJksPEOajozLElnqiO2+dgPb:lXTLJkQ7zAV3XPb

Score

10^/10

gh0strat runningrat persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

829567da24356078abb1ff8beb1b53e460cb4f1d67fab2b1d605912b8b7c438c.exe

Resource

win7-20231215-en

gh0strat runningrat persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

829567da24356078abb1ff8beb1b53e460cb4f1d67fab2b1d605912b8b7c438c.exe

Resource

win10v2004-20231222-en

gh0strat runningrat persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

p.f2pool.info

Targets

- Target
  
  829567da24356078abb1ff8beb1b53e460cb4f1d67fab2b1d605912b8b7c438c.exe
- Size
  
  108KB
- MD5
  
  98cbe8668a8e12416cb4dd7041ae5a1f
- SHA1
  
  2bfea256de980a9faeada753725b9bcb368efcd8
- SHA256
  
  e1a5558088d6f241331f2f443e098f8293c14843d580a1e0971dbde7ff2e6c6c
- SHA512
  
  54413adf88c300d372f3cfe6c057f204d2a70a714ec84dbe566e2c32475774518c89a584954da6a55e338d0b0e5338456b969f6b472bfab310c44bac32f64d77
- SSDEEP
  
  1536:lqEA70HzLJksPEOajozLElnqiO2+dgPb:lXTLJkQ7zAV3XPb
Score

10^/10

gh0strat runningrat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- RunningRat
  RunningRat is a remote access trojan first seen in 2018.
  rat runningrat
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Creates a Windows Service
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gh0stratrunningratpersistencerat

behavioral2

gh0stratrunningratpersistencerat

© 2018-2024

Terms | Privacy