gh0strat | 0f1fcae5afc3ae80abc3ae408f224dc29194ca054e34025cded8311c20ece953 | Triage

Submit
Reports

Overview

overview

Static

static

3

0f1fcae5af...53.exe

windows7-x64

0f1fcae5af...53.exe

windows10-2004-x64

Sharing

General

Target

0f1fcae5afc3ae80abc3ae408f224dc29194ca054e34025cded8311c20ece953
Size

4.0MB
Sample

240523-rw6daaee59
MD5

423a60edff840e9fe38ec71100707478
SHA1

8d5432a241847e90a5aa3a2ab99918d56ae2b4b2
SHA256

0f1fcae5afc3ae80abc3ae408f224dc29194ca054e34025cded8311c20ece953
SHA512

db20925bff79c38b3862a68352ef6af1fdeba17aa533959debc4423da18249d290f8a4361325f6df654bc3c953be396df44909a02e04d4ecdaf07b2ee10bb28f
SSDEEP

98304:v2SVMD8Lnsmtk2aX3Ob9lG4TLaeOnTPia:/NLfdLzOz

Score

10^/10

gh0strat persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0f1fcae5afc3ae80abc3ae408f224dc29194ca054e34025cded8311c20ece953.exe

Resource

win7-20240221-en

gh0strat persistence rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

0f1fcae5afc3ae80abc3ae408f224dc29194ca054e34025cded8311c20ece953.exe

Resource

win10v2004-20240426-en

gh0strat persistence rat

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  0f1fcae5afc3ae80abc3ae408f224dc29194ca054e34025cded8311c20ece953
- Size
  
  4.0MB
- MD5
  
  423a60edff840e9fe38ec71100707478
- SHA1
  
  8d5432a241847e90a5aa3a2ab99918d56ae2b4b2
- SHA256
  
  0f1fcae5afc3ae80abc3ae408f224dc29194ca054e34025cded8311c20ece953
- SHA512
  
  db20925bff79c38b3862a68352ef6af1fdeba17aa533959debc4423da18249d290f8a4361325f6df654bc3c953be396df44909a02e04d4ecdaf07b2ee10bb28f
- SSDEEP
  
  98304:v2SVMD8Lnsmtk2aX3Ob9lG4TLaeOnTPia:/NLfdLzOz
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat

© 2018-2024

Terms | Privacy