gh0strat | ba37370a4e2c69d6125e3cb76c4b120e06c26fa9a476b13013f1a033749ae120 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

ba37370a4e...20.exe

windows7-x64

ba37370a4e...20.exe

windows10-2004-x64

Sharing

General

Target

ba37370a4e2c69d6125e3cb76c4b120e06c26fa9a476b13013f1a033749ae120
Size

400KB
Sample

240620-lp3e6avejn
MD5

36641ec28d549d2b71f5b016fae295db
SHA1

23262ebeb025cafd64c0c5a28c35f5f4d47a7816
SHA256

ba37370a4e2c69d6125e3cb76c4b120e06c26fa9a476b13013f1a033749ae120
SHA512

21f34e439d30fb7970a399f56f94d234f7e64b4c2ce56bf7c09968bbcdcd713586df2c11d9fdab2f7088d353461a7ec6e22593ed2cc9ee5f72e4f388b2e25eae
SSDEEP

3072:vRK/yLrQbWaR5Qax8c/Yt5Kgm45EWWdfnaZf4Xvl4luK:vIyLEbWaR5CchE6nmCzK

Score

10^/10

gh0strat persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ba37370a4e2c69d6125e3cb76c4b120e06c26fa9a476b13013f1a033749ae120.exe

Resource

win7-20240221-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

ba37370a4e2c69d6125e3cb76c4b120e06c26fa9a476b13013f1a033749ae120.exe

Resource

win10v2004-20240508-en

gh0strat persistence rat

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

gh0strat

C2

fdsfhkjf.e3.luyouxia.net

Targets

- Target
  
  ba37370a4e2c69d6125e3cb76c4b120e06c26fa9a476b13013f1a033749ae120
- Size
  
  400KB
- MD5
  
  36641ec28d549d2b71f5b016fae295db
- SHA1
  
  23262ebeb025cafd64c0c5a28c35f5f4d47a7816
- SHA256
  
  ba37370a4e2c69d6125e3cb76c4b120e06c26fa9a476b13013f1a033749ae120
- SHA512
  
  21f34e439d30fb7970a399f56f94d234f7e64b4c2ce56bf7c09968bbcdcd713586df2c11d9fdab2f7088d353461a7ec6e22593ed2cc9ee5f72e4f388b2e25eae
- SSDEEP
  
  3072:vRK/yLrQbWaR5Qax8c/Yt5Kgm45EWWdfnaZf4Xvl4luK:vIyLEbWaR5CchE6nmCzK
Score

10^/10

gh0strat rat persistence
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratpersistencerat

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.