gh0strat | 9126e22dadd0ce19a8c93f3d5edc8931231ea9e3d963154db061d67897a74599 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1b3237069c...18.exe

windows7-x64

1b3237069c...18.exe

windows10-2004-x64

Sharing

General

Target

1b3237069cb32b2e38a778105948b107_JaffaCakes118
Size

174KB
Sample

240701-n2n5eatcjq
MD5

1b3237069cb32b2e38a778105948b107
SHA1

3d443d78e881e94dd6d8eb39bcdb02fa3590de96
SHA256

9126e22dadd0ce19a8c93f3d5edc8931231ea9e3d963154db061d67897a74599
SHA512

333c5907f166ad531fd6ca060a99e7522fee874345d58a32ad8d368276e5279a1b272e8fcbdda1afab98b0de47dcec16573f8aa7e86ed7708a02ae04eb7256f6
SSDEEP

3072:VJuGnYhTbK80kSbOW1oWOQ1f9xHwm1PXBmXZFeA28pM6EdePl9dehiv80P80CnpH:VJueTkSOwoWOQ3dwaWB28edeP/deUv8M

Score

10^/10

gh0strat persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

1b3237069cb32b2e38a778105948b107_JaffaCakes118.exe

Resource

win7-20240611-en

gh0strat persistence rat

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

1b3237069cb32b2e38a778105948b107_JaffaCakes118.exe

Resource

win10v2004-20240611-en

gh0strat persistence rat

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Targets

- Target
  
  1b3237069cb32b2e38a778105948b107_JaffaCakes118
- Size
  
  174KB
- MD5
  
  1b3237069cb32b2e38a778105948b107
- SHA1
  
  3d443d78e881e94dd6d8eb39bcdb02fa3590de96
- SHA256
  
  9126e22dadd0ce19a8c93f3d5edc8931231ea9e3d963154db061d67897a74599
- SHA512
  
  333c5907f166ad531fd6ca060a99e7522fee874345d58a32ad8d368276e5279a1b272e8fcbdda1afab98b0de47dcec16573f8aa7e86ed7708a02ae04eb7256f6
- SSDEEP
  
  3072:VJuGnYhTbK80kSbOW1oWOQ1f9xHwm1PXBmXZFeA28pM6EdePl9dehiv80P80CnpH:VJueTkSOwoWOQ3dwaWB28edeP/deUv8M
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratpersistencerat

behavioral2

gh0stratpersistencerat

© 2018-2025

Terms | Privacy