gh0strat | 4132ab6ac46529121b2183a63f7e71c35bb2f733add6acaf2ee22491b8203ee7 | Triage

Sharing

General

Target

4132ab6ac46529121b2183a63f7e71c35bb2f733add6acaf2ee22491b8203ee7
Size

4.6MB
Sample

240525-xbfvsadh3z
MD5

3db635263ea4949c91667006a4b540f7
SHA1

afe89e85c860ae2799cf1c656e4fb39150793dcb
SHA256

4132ab6ac46529121b2183a63f7e71c35bb2f733add6acaf2ee22491b8203ee7
SHA512

e9830aa861177b873820f3d81a439488b919caec4917ac489636dca54f54fd133f8db123fa7c0f776b41cdcead99b9dfac46b20688b104a0592d8b6acbc5255a
SSDEEP

98304:G2SVMD8jdRyeKOljH/X7jqwxOJBAUZL2h:G9rjH/LjAJVE

Score

10^/10

gh0strat persistence rat

Malware Config

Targets

- Target
  
  4132ab6ac46529121b2183a63f7e71c35bb2f733add6acaf2ee22491b8203ee7
- Size
  
  4.6MB
- MD5
  
  3db635263ea4949c91667006a4b540f7
- SHA1
  
  afe89e85c860ae2799cf1c656e4fb39150793dcb
- SHA256
  
  4132ab6ac46529121b2183a63f7e71c35bb2f733add6acaf2ee22491b8203ee7
- SHA512
  
  e9830aa861177b873820f3d81a439488b919caec4917ac489636dca54f54fd133f8db123fa7c0f776b41cdcead99b9dfac46b20688b104a0592d8b6acbc5255a
- SSDEEP
  
  98304:G2SVMD8jdRyeKOljH/X7jqwxOJBAUZL2h:G9rjH/LjAJVE
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat