gh0strat | 33b840aad4985d882b0c3f693b2f809b6f90f3ad5824db70f8721ade9befe1f2 | Triage

Submit
Reports

Overview

overview

Static

static

7

52f4cc475b...18.exe

windows7-x64

52f4cc475b...18.exe

windows10-2004-x64

Sharing

General

Target

52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118
Size

144KB
Sample

240518-enb39abc48
MD5

52f4cc475bb2d26643911e24a0fbcd2e
SHA1

daa56e8f913a0e7fd100b9352bc493185b836205
SHA256

33b840aad4985d882b0c3f693b2f809b6f90f3ad5824db70f8721ade9befe1f2
SHA512

6f75fdd9c471f7287d8a8d62944c5b6e6f7458b3309b12b5062240d45bb3cbd40512f3c48b1dc0e0b8c12f9929daa69e5c6f1d67cf36dfbafd99ef25f6cf2e24
SSDEEP

3072:jCsYL2yBf6l7T93e4qht2Axc1ejihAyuRfGo3J5db5l:fhyae4St2w7OZ+/Xr

Score

10^/10

gh0strat runningrat persistence rat vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe

Resource

win7-20240220-en

gh0strat runningrat persistence rat vmprotect

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118.exe

Resource

win10v2004-20240508-en

gh0strat runningrat persistence rat vmprotect

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

aiac.f3322.net

Targets

- Target
  
  52f4cc475bb2d26643911e24a0fbcd2e_JaffaCakes118
- Size
  
  144KB
- MD5
  
  52f4cc475bb2d26643911e24a0fbcd2e
- SHA1
  
  daa56e8f913a0e7fd100b9352bc493185b836205
- SHA256
  
  33b840aad4985d882b0c3f693b2f809b6f90f3ad5824db70f8721ade9befe1f2
- SHA512
  
  6f75fdd9c471f7287d8a8d62944c5b6e6f7458b3309b12b5062240d45bb3cbd40512f3c48b1dc0e0b8c12f9929daa69e5c6f1d67cf36dfbafd99ef25f6cf2e24
- SSDEEP
  
  3072:jCsYL2yBf6l7T93e4qht2Axc1ejihAyuRfGo3J5db5l:fhyae4St2w7OZ+/Xr
Score

10^/10

gh0strat runningrat persistence rat vmprotect
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- RunningRat
  RunningRat is a remote access trojan first seen in 2018.
  rat runningrat
- RunningRat payload
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratrunningratpersistenceratvmprotect

behavioral2

gh0stratrunningratpersistenceratvmprotect

© 2018-2024

Terms | Privacy