gh0strat

General

Target

18141738762.zip
Size

8.5MB
Sample

240711-exaa1syejr
MD5

16b2ee3fd5a5b2c9c7f5a1d4085ab066
SHA1

71b7f9c8253c51d15f9e8c47b6d4aab8fadcc770
SHA256

1a6113afd271fedcc38f43b9e34f9c80c6bad91cc2a9dccaacbb16060caa3abd
SHA512

d541f09eadb21b6c98fd5399469b4d7dda2fed8a5a4468553922ec3cf97fd2502dee63e1e71f6e76da5c0f0df3abc3f39d6be44287b1cf17e203a47f004a748a
SSDEEP

196608:whR0XtBUgw5O12g72zYbvZETTwqwJVt1vMSu/hGG:2REtBUt+mUvZ11JVtbU4G

Score

10^/10

Malware Config

Extracted

Family

gh0strat

C2

148.178.16.31

Targets

- Target
  
  svchost.exe
- Size
  
  4.1MB
- MD5
  
  0bdc52f9b2fe71c8a90b134881a9c91e
- SHA1
  
  3bb46cf9bacab3e3c9cf9068b92846804c962ac9
- SHA256
  
  aa834c216a73bb3c5dcdd92f18b698f759bb28f6edb4789b210bbfd1435830d5
- SHA512
  
  eb531ddff094f89731f0b2a6081df7df11a0e2712ab329ee5637c2daf0f5552c4eb3140feeb0e4a10ba574bf4503c114db1c6b08f7e4cc7e8d6bc19225b8f7a2
- SSDEEP
  
  98304:4vL/mtcMYSXdPzKJFxHy37sPZ4n6VVSO/0G9DoqHfnlRsqU:CL/05ReF5yrEZpQfG98qfze
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  wininit.exe
- Size
  
  4.1MB
- MD5
  
  a7a60d3103996e0d98b8c28ad734d8b5
- SHA1
  
  973290b3762ea5301f27903487280b1cf87bae5a
- SHA256
  
  6ce3f3d9a259b614393d00bb1bb46107178d5533a3c634cf617e57819fd41c46
- SHA512
  
  589f287098bead819f019494830d474c5193c33aa08e1ac6545071bd7cd1c6777862ef90c9a31576ff95b88a0a149266d385696965e0f09ba11c4adc57f2aefd
- SSDEEP
  
  98304:nN8V1dlvzbKmw7jwWVGVt18ChJECViPXIZQdCd8LTPYaPF:aVzRbKRHwWg38q8PlCd8HD
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  word.exe
- Size
  
  398KB
- MD5
  
  f13f5ac8b89c9ac8d02d1ef7cf9bdf0a
- SHA1
  
  a65ffcc750e84e3fdc6e56829ccd77229d73eee9
- SHA256
  
  1649152cf5eb988b0c02f413a29ec20fcd452e0c5aafd63406b1a7a9062c8a85
- SHA512
  
  0214670c60caaf1800704f6a93691f820a363b367a374584c6f56ea0497b1896db2d16c004315f16bfb65069ecbf53bf4b2f9ad34c6d8ba4b006c6482c9a5a40
- SSDEEP
  
  6144:WMsHe0BivO39zYpmH+kAzkA7ZUgbc6AYJ8rEdrEbAgMMV6NX5ZNeVgjYfhTHiV:W1nIO39YAeNLFjAYarEdrEb5P6VxY1CV
Score

10^/10

gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Blocklisted process makes network request
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  wwlib.dll
- Size
  
  1.1MB
- MD5
  
  89e431164bfa94df1b309dfdca5d2d18
- SHA1
  
  6c7a7e82b561f236d63c1a3a58a0c28f0e11053a
- SHA256
  
  9bae1cfdb552683ac327b882e09e65d0986137c3168481963b1e45ebcfee69f1
- SHA512
  
  08f17c6fdbe40fed0c6f8209dfaad359264aad9c51c5a8e33e2aaf4be744d4d3f4bcb930666f6c6e7ef8dba0494b563ff1f9504ed615b5f506414246ef2f76ee
- SSDEEP
  
  12288:PHsqgkjX2L+zuFiikuunL/y5hI3Cy0TIBCjfVsX2UuQEXB81Da:PHU+2sN4hI3Cy0MByfVsGI
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral7 behavioral8