gh0strat | 80a7a67ec7a406aa9907adf727c8ce3dd6a20f66ed00e775c1d53f7e67e08fc4 | Triage

Sharing

General

Target

80a7a67ec7a406aa9907adf727c8ce3dd6a20f66ed00e775c1d53f7e67e08fc4
Size

1.1MB
Sample

240526-mklsaafh62
MD5

ed82af42d1ab0689550a944b491cc741
SHA1

d2c34187ed9d47f97f10e41301f5bfca59f37335
SHA256

80a7a67ec7a406aa9907adf727c8ce3dd6a20f66ed00e775c1d53f7e67e08fc4
SHA512

4f7884873a39ca737bba04da79550f173265403063eaf031f0ccb9a5a45e81fbb291d5a920a57daa9ece35749c01137a87616563dc67a2992d52fbcb59cb98df
SSDEEP

24576:rYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnayzmXAP6LBv:rYREXSVMDi33PmBv

Score

10^/10

gh0strat persistence rat

Malware Config

Targets

- Target
  
  80a7a67ec7a406aa9907adf727c8ce3dd6a20f66ed00e775c1d53f7e67e08fc4
- Size
  
  1.1MB
- MD5
  
  ed82af42d1ab0689550a944b491cc741
- SHA1
  
  d2c34187ed9d47f97f10e41301f5bfca59f37335
- SHA256
  
  80a7a67ec7a406aa9907adf727c8ce3dd6a20f66ed00e775c1d53f7e67e08fc4
- SHA512
  
  4f7884873a39ca737bba04da79550f173265403063eaf031f0ccb9a5a45e81fbb291d5a920a57daa9ece35749c01137a87616563dc67a2992d52fbcb59cb98df
- SSDEEP
  
  24576:rYFbkIsaPiXSVnC7Yp9zkNmZG8RRlnayzmXAP6LBv:rYREXSVMDi33PmBv
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat