gh0strat

General

Target

240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
Size

5.9MB
Sample

240613-bfxhfaycjd
MD5

00cc9132003c0c5a282013898577b795
SHA1

cf9024e742e69b7715a7cdcac7363743ca226cb6
SHA256

240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c
SHA512

08e21f1112eb2aafb9622011da229eb72ee86f907f77a64a17be8702257bc92fb0e709e65aa81e15702f1005b32f929f83be9b574f3b6a6b4432b36f05165595
SSDEEP

98304:KvWCz5kKLknWxK9yE9Br8UWJUd+ctE9Br8UWJUd+c0p+Okci3wVS3oHzdiTH:GWCzB4ME9VpWJ7ctE9VpWJ7c0p+vcD7c

Score

10^/10

Malware Config

Targets

- Target
  
  240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c.exe
- Size
  
  5.9MB
- MD5
  
  00cc9132003c0c5a282013898577b795
- SHA1
  
  cf9024e742e69b7715a7cdcac7363743ca226cb6
- SHA256
  
  240c056fa0a024742d65a67a8f494658837dded48bf892f6209750b1265bdf7c
- SHA512
  
  08e21f1112eb2aafb9622011da229eb72ee86f907f77a64a17be8702257bc92fb0e709e65aa81e15702f1005b32f929f83be9b574f3b6a6b4432b36f05165595
- SSDEEP
  
  98304:KvWCz5kKLknWxK9yE9Br8UWJUd+ctE9Br8UWJUd+c0p+Okci3wVS3oHzdiTH:GWCzB4ME9VpWJ7ctE9VpWJ7c0p+vcD7c
Score

10^/10

gh0strat discovery rat upx
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- UPX dump on OEP (original entry point)
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Gh0st RAT payload

UPX dump on OEP (original entry point)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2