gh0strat | fbcc1ad4ff00419232dc85f007abb0763f82d00b086e9958f2d02dc37b266812 | Triage

Sharing

General

Target

fbcc1ad4ff00419232dc85f007abb0763f82d00b086e9958f2d02dc37b266812
Size

1.6MB
Sample

240525-x5lccsfg66
MD5

a3cc6da61c8e5895483552461ab78463
SHA1

84b530f2931ee02dfc4891fadb481db49f5b7071
SHA256

fbcc1ad4ff00419232dc85f007abb0763f82d00b086e9958f2d02dc37b266812
SHA512

0fccf6f8795755254474934c69a0406a3add1ec6b6f77c274d53cafc77094662914618c452bc4318d8d6fde448359d248418be664372df11c55671ffc88fbdfc
SSDEEP

24576:gYFbkIsaPiXSVnC7Yp9zjNmZG8RRl9ByzHTqfa14:gYREXSVMKi3Gqf5

Score

10^/10

gh0strat persistence rat

Malware Config

Targets

- Target
  
  fbcc1ad4ff00419232dc85f007abb0763f82d00b086e9958f2d02dc37b266812
- Size
  
  1.6MB
- MD5
  
  a3cc6da61c8e5895483552461ab78463
- SHA1
  
  84b530f2931ee02dfc4891fadb481db49f5b7071
- SHA256
  
  fbcc1ad4ff00419232dc85f007abb0763f82d00b086e9958f2d02dc37b266812
- SHA512
  
  0fccf6f8795755254474934c69a0406a3add1ec6b6f77c274d53cafc77094662914618c452bc4318d8d6fde448359d248418be664372df11c55671ffc88fbdfc
- SSDEEP
  
  24576:gYFbkIsaPiXSVnC7Yp9zjNmZG8RRl9ByzHTqfa14:gYREXSVMKi3Gqf5
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat