gh0strat | 7e21bbda3516f0e867c9f86f4f83e05f223d292be5eb7adf75630c7003f26862 | Triage

Sharing

General

Target

7e21bbda3516f0e867c9f86f4f83e05f223d292be5eb7adf75630c7003f26862
Size

380KB
Sample

240423-pqk42sgc77
MD5

a6555bc479082db51959a71388262e6b
SHA1

9b41ddcf40e0fda2f9de0e7f3a06bbfce349b53b
SHA256

7e21bbda3516f0e867c9f86f4f83e05f223d292be5eb7adf75630c7003f26862
SHA512

78a450fefd885ffe1f4e6ccaa5aaca6a43e3c89bef3e7111d9f6bbdd1d3fe2a81ba413395c74e7b6f0163c52e7a4ede7d75fd7d5d3c82e637a171ce7ce649e5e
SSDEEP

3072:mIXcNc8ES3qngZtZgt3ewnc9D0tt6/F6z8ImGw6:mIMNc8ESDZL02/Mz8ITP

Score

10^/10

gh0strat persistence rat

Malware Config

Extracted

Family

gh0strat

C2

24365426.e3.luyouxia.net

Targets

- Target
  
  7e21bbda3516f0e867c9f86f4f83e05f223d292be5eb7adf75630c7003f26862
- Size
  
  380KB
- MD5
  
  a6555bc479082db51959a71388262e6b
- SHA1
  
  9b41ddcf40e0fda2f9de0e7f3a06bbfce349b53b
- SHA256
  
  7e21bbda3516f0e867c9f86f4f83e05f223d292be5eb7adf75630c7003f26862
- SHA512
  
  78a450fefd885ffe1f4e6ccaa5aaca6a43e3c89bef3e7111d9f6bbdd1d3fe2a81ba413395c74e7b6f0163c52e7a4ede7d75fd7d5d3c82e637a171ce7ce649e5e
- SSDEEP
  
  3072:mIXcNc8ES3qngZtZgt3ewnc9D0tt6/F6z8ImGw6:mIMNc8ESDZL02/Mz8ITP
Score

10^/10

gh0strat rat persistence
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratpersistencerat