gh0strat | 5d9a69cea0e22d01c1d0fb5dfe020ab01891bf218df26f2548626566ef4499ca | Triage

Sharing

General

Target

8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895.exe
Size

376KB
Sample

240126-p53mmsfecq
MD5

6663323f99b20538689fbf9e5c942aec
SHA1

d230dbb2e3730cf040f4af8c9a6ce284dde70fe6
SHA256

5d9a69cea0e22d01c1d0fb5dfe020ab01891bf218df26f2548626566ef4499ca
SHA512

daa661883fb8c5c15bedc8eaf47e9746fd3895184d4b6ef1f739ce82f29427294242b2c76d00d135f3febb64bc253655ddaa6d9947975140c166c96152866027
SSDEEP

6144:aOyLEbWaR5Cclr2Z9JyPJrrrrVmJJJJJJJJJJJJJJ7N:5UaWaR5v1sSXA

Score

10^/10

gh0strat persistence rat

Malware Config

Extracted

Family

gh0strat

C2

81.68.216.37

Targets

- Target
  
  8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895.exe
- Size
  
  376KB
- MD5
  
  6663323f99b20538689fbf9e5c942aec
- SHA1
  
  d230dbb2e3730cf040f4af8c9a6ce284dde70fe6
- SHA256
  
  5d9a69cea0e22d01c1d0fb5dfe020ab01891bf218df26f2548626566ef4499ca
- SHA512
  
  daa661883fb8c5c15bedc8eaf47e9746fd3895184d4b6ef1f739ce82f29427294242b2c76d00d135f3febb64bc253655ddaa6d9947975140c166c96152866027
- SSDEEP
  
  6144:aOyLEbWaR5Cclr2Z9JyPJrrrrVmJJJJJJJJJJJJJJ7N:5UaWaR5v1sSXA
Score

10^/10

gh0strat rat persistence
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratpersistencerat