gh0strat | 3b9a2493a8c1ab1d035392cd58d5b1a46350283cb0e7607b6682e6891212344b | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

3b9a2493a8...4b.exe

windows7-x64

3b9a2493a8...4b.exe

windows10-2004-x64

Sharing

General

Target

3b9a2493a8c1ab1d035392cd58d5b1a46350283cb0e7607b6682e6891212344b
Size

220KB
Sample

240504-2bq3zage37
MD5

92fa12fb096542d9240623d6e53626a6
SHA1

8c47c486776222ca90128218767f225b1a2b4bec
SHA256

3b9a2493a8c1ab1d035392cd58d5b1a46350283cb0e7607b6682e6891212344b
SHA512

58565210a904e7674a88e71eb58a7aeeba7813d2e1193764c9471651887107fbcaa35a8755e95120272a6e950fdd7ac24651c4d2b6c5e4a3643c6737f5c6eacc
SSDEEP

3072:c+HDVTtkdiAojheSc5ch491vxqHMkumn0lBE4vvaPc5nm7gynXVpXnRzv8Ri7:jHR8iAoNbc5+4z4z45nGgyXVb

Score

10^/10

gh0strat persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

3b9a2493a8c1ab1d035392cd58d5b1a46350283cb0e7607b6682e6891212344b.exe

Resource

win7-20240215-en

gh0strat persistence rat

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

3b9a2493a8c1ab1d035392cd58d5b1a46350283cb0e7607b6682e6891212344b.exe

Resource

win10v2004-20240419-en

gh0strat persistence rat

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Targets

- Target
  
  3b9a2493a8c1ab1d035392cd58d5b1a46350283cb0e7607b6682e6891212344b
- Size
  
  220KB
- MD5
  
  92fa12fb096542d9240623d6e53626a6
- SHA1
  
  8c47c486776222ca90128218767f225b1a2b4bec
- SHA256
  
  3b9a2493a8c1ab1d035392cd58d5b1a46350283cb0e7607b6682e6891212344b
- SHA512
  
  58565210a904e7674a88e71eb58a7aeeba7813d2e1193764c9471651887107fbcaa35a8755e95120272a6e950fdd7ac24651c4d2b6c5e4a3643c6737f5c6eacc
- SSDEEP
  
  3072:c+HDVTtkdiAojheSc5ch491vxqHMkumn0lBE4vvaPc5nm7gynXVpXnRzv8Ri7:jHR8iAoNbc5+4z4z45nGgyXVb
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Detects executables embedding registry key / value combination manipulating RDP / Terminal Services
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat

© 2018-2025

Terms | Privacy