gh0strat | d3e9f7f13fe4a936a208fd5b92e056fd09b2e07e90049d6f4f32b800fef9edc4 | Triage

Sharing

General

Target

d3e9f7f13fe4a936a208fd5b92e056fd09b2e07e90049d6f4f32b800fef9edc4
Size

1.9MB
Sample

240526-f39thahc54
MD5

6b226224117c3c1eef4dfdb98b1cb052
SHA1

2b3514ad493c482611230187797cdc93ee21bcda
SHA256

d3e9f7f13fe4a936a208fd5b92e056fd09b2e07e90049d6f4f32b800fef9edc4
SHA512

cec556430ba0cffb983fdcb811a59a74afd3445acc29af53e7fa5a5e9d32b6990984241eca31aa56c95a2923328b92d695ae9fe165c3787baf1aaf54ece33bb1
SSDEEP

24576:3YFbkIsaPiXSVnC7Yp9zkNmZG8RRlnhyzHsSG:3YREXSVMDi3Th

Score

10^/10

gh0strat persistence rat

Malware Config

Targets

- Target
  
  d3e9f7f13fe4a936a208fd5b92e056fd09b2e07e90049d6f4f32b800fef9edc4
- Size
  
  1.9MB
- MD5
  
  6b226224117c3c1eef4dfdb98b1cb052
- SHA1
  
  2b3514ad493c482611230187797cdc93ee21bcda
- SHA256
  
  d3e9f7f13fe4a936a208fd5b92e056fd09b2e07e90049d6f4f32b800fef9edc4
- SHA512
  
  cec556430ba0cffb983fdcb811a59a74afd3445acc29af53e7fa5a5e9d32b6990984241eca31aa56c95a2923328b92d695ae9fe165c3787baf1aaf54ece33bb1
- SSDEEP
  
  24576:3YFbkIsaPiXSVnC7Yp9zkNmZG8RRlnhyzHsSG:3YREXSVMDi3Th
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat