gh0strat | 93aab9b8915062b7485e525f3a1dde095cb9ecde795bbb5cadeacc0678305518 | Triage

Sharing

General

Target

93aab9b8915062b7485e525f3a1dde095cb9ecde795bbb5cadeacc0678305518
Size

1.3MB
Sample

240525-xwb3bsfc97
MD5

55e982207fbdaf7adc0abd88ae6374a3
SHA1

c2a19282affac38663120b0737361943792cf0b8
SHA256

93aab9b8915062b7485e525f3a1dde095cb9ecde795bbb5cadeacc0678305518
SHA512

d24a869abb15653e26bc0ed76befd9b84b7700b0949ef2cf8997f661fc6e7f83c9ad468c70bc5069bcecfb36a4ce5d9dfaab4b75ab1327e6ecbaddb279c308e0
SSDEEP

24576:eYFbkIsaPiXSVnC7Yp9zjNmZG8RRl9yyzoqfa1t:eYREXSVMKi3YqfU

Score

10^/10

gh0strat persistence rat

Malware Config

Targets

- Target
  
  93aab9b8915062b7485e525f3a1dde095cb9ecde795bbb5cadeacc0678305518
- Size
  
  1.3MB
- MD5
  
  55e982207fbdaf7adc0abd88ae6374a3
- SHA1
  
  c2a19282affac38663120b0737361943792cf0b8
- SHA256
  
  93aab9b8915062b7485e525f3a1dde095cb9ecde795bbb5cadeacc0678305518
- SHA512
  
  d24a869abb15653e26bc0ed76befd9b84b7700b0949ef2cf8997f661fc6e7f83c9ad468c70bc5069bcecfb36a4ce5d9dfaab4b75ab1327e6ecbaddb279c308e0
- SSDEEP
  
  24576:eYFbkIsaPiXSVnC7Yp9zjNmZG8RRl9yyzoqfa1t:eYREXSVMKi3YqfU
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat