gh0strat

General

Target

e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics
Size

8.5MB
Sample

240516-tj656acg49
MD5

e450334557d6d45d2a873e648cdf1b50
SHA1

aee26beb05128e839d0279e779ce7cef283ef2b5
SHA256

a1732b9038446d9d600bb8413ca86eccf1272e26844f4b65632c22189c80f7e5
SHA512

4cd8ac4fa2ec37530eb9c1de4b699aafda43b8d3d86624d592995d49a574662931650e14a333c0bea754fde3bfd76295988375e31b7ff2786d3205b92d7fdb31
SSDEEP

196608:0yEbq8kKU1qXD0QwAIYfIFtCe8lN4XuWEA1HaugJKvgabfT8z//QTDQsNkEC1:0mK8qjwAaCe8f4eWVYKoabfT6QT0s2E6

Score

10^/10

Malware Config

Targets

- Target
  
  e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics
- Size
  
  8.5MB
- MD5
  
  e450334557d6d45d2a873e648cdf1b50
- SHA1
  
  aee26beb05128e839d0279e779ce7cef283ef2b5
- SHA256
  
  a1732b9038446d9d600bb8413ca86eccf1272e26844f4b65632c22189c80f7e5
- SHA512
  
  4cd8ac4fa2ec37530eb9c1de4b699aafda43b8d3d86624d592995d49a574662931650e14a333c0bea754fde3bfd76295988375e31b7ff2786d3205b92d7fdb31
- SSDEEP
  
  196608:0yEbq8kKU1qXD0QwAIYfIFtCe8lN4XuWEA1HaugJKvgabfT8z//QTDQsNkEC1:0mK8qjwAaCe8f4eWVYKoabfT6QT0s2E6
Score

10^/10

gh0strat discovery rat upx
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Gh0st RAT payload

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks installed software on the system

Enumerates connected drives

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2