gh0strat | 2a77b478ffa327cdffde58598e3ea9035a597116c2bcd6258883fef7c77e056d | Triage

Sharing

General

Target

2a77b478ffa327cdffde58598e3ea9035a597116c2bcd6258883fef7c77e056d
Size

7.4MB
Sample

240420-cp5e3seg6x
MD5

75260290f3c2f8b8e3ded748c259c3b5
SHA1

22788c270185a5b0c5d2ad55324bfb592f485622
SHA256

2a77b478ffa327cdffde58598e3ea9035a597116c2bcd6258883fef7c77e056d
SHA512

92b78dd57619b941dd08933c4a002b5807c6c7be35cfe9f7e02fabd7bcb224bee51cfd2e785199c0b33ef4ae643b39a9e04bafcd165b2d0be417c447c7892948
SSDEEP

6144:L0yLEbWaR5CcfifXc3PXS/bKK2HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH/:YUaWaR5vfi/Kq/m7

Score

10^/10

gh0strat persistence rat

Malware Config

Extracted

Family

gh0strat

C2

127.0.0.1

Targets

- Target
  
  2a77b478ffa327cdffde58598e3ea9035a597116c2bcd6258883fef7c77e056d
- Size
  
  7.4MB
- MD5
  
  75260290f3c2f8b8e3ded748c259c3b5
- SHA1
  
  22788c270185a5b0c5d2ad55324bfb592f485622
- SHA256
  
  2a77b478ffa327cdffde58598e3ea9035a597116c2bcd6258883fef7c77e056d
- SHA512
  
  92b78dd57619b941dd08933c4a002b5807c6c7be35cfe9f7e02fabd7bcb224bee51cfd2e785199c0b33ef4ae643b39a9e04bafcd165b2d0be417c447c7892948
- SSDEEP
  
  6144:L0yLEbWaR5CcfifXc3PXS/bKK2HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH/:YUaWaR5vfi/Kq/m7
Score

10^/10

gh0strat rat persistence
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

gh0stratpersistencerat