gh0strat | c79ac8a613c7a25793b2a0167d48a6a5e8e7c811ccdaf01d0a47efc7dff99dbd | Triage

Sharing

General

Target

0.exe.zip
Size

32KB
Sample

240815-leax6awcng
MD5

010cfb902cae00576e39556914eb7af5
SHA1

86bb5ed57999602fc4540ace6086a891c996e3f3
SHA256

c79ac8a613c7a25793b2a0167d48a6a5e8e7c811ccdaf01d0a47efc7dff99dbd
SHA512

5c848b7e537208aafa0b52f94c7f6a0348f8d4dcdf46b1bfbbf05d6813e47fcceea1dd1c8a9368f9476aae28d571dd97cfa1770e4a76947d430f94b597d2a9d1
SSDEEP

768:1WNTeakdIbb8karXzilV7uUdzM1VyY8dLDFa1X87MEH2fZz:1WxeanbmXeF3doVypdL5amYEHw

Score

10^/10

gh0strat discovery rat

Malware Config

Targets

- Target
  
  0.exe.zip
- Size
  
  32KB
- MD5
  
  010cfb902cae00576e39556914eb7af5
- SHA1
  
  86bb5ed57999602fc4540ace6086a891c996e3f3
- SHA256
  
  c79ac8a613c7a25793b2a0167d48a6a5e8e7c811ccdaf01d0a47efc7dff99dbd
- SHA512
  
  5c848b7e537208aafa0b52f94c7f6a0348f8d4dcdf46b1bfbbf05d6813e47fcceea1dd1c8a9368f9476aae28d571dd97cfa1770e4a76947d430f94b597d2a9d1
- SSDEEP
  
  768:1WNTeakdIbb8karXzilV7uUdzM1VyY8dLDFa1X87MEH2fZz:1WxeanbmXeF3doVypdL5amYEHw
Score

1^/10
behavioral1 behavioral2
- Target
  
  0.exe
- Size
  
  71KB
- MD5
  
  2a9d0d06d292a4cbbe4a95da4650ed54
- SHA1
  
  44c32dfae9ac971c3651adbd82c821971a5400dc
- SHA256
  
  09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
- SHA512
  
  ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
- SSDEEP
  
  1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e
Score

10^/10

gh0strat discovery rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Deletes itself
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  .data
- Size
  
  8KB
- MD5
  
  6f6e4f79e28328f044aea1fae26fac3c
- SHA1
  
  a8f2be0e96b316cd4cdf9328d37f3fdc41d05c86
- SHA256
  
  5384fd052e305e5aeb0296ec83d027530093f9ba504821aa4971dcf85412b0f1
- SHA512
  
  64a346739461c3a1e2924681a8d450188ea1c53a45a22833d5d3860b18ccece87ecd0a9bf6a6fb8ec8501b5bfa4356dbde2d50f6a3a9d5de90569c8bd64b03bf
- SSDEEP
  
  96:kf/RRQ+AKjK4hQ9RWjlj+ubUyOALgEy4yUZYDAqg0NpLrRqu:sc+AwKN4lj+fzARyUeDA2fLs
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  .rdata
- Size
  
  7KB
- MD5
  
  c15aa553db9a4966096910f155c0cb03
- SHA1
  
  d878b158a08acd424e2d9aec90e206f08c1e72a8
- SHA256
  
  5d9abcefc38a9cacdf88d466fccf68040f4a8aef5bac04988b23eab1877304ea
- SHA512
  
  d6ae643cf73637947a43f5cdff3b798f001a684c014acce155e0e332c26c68fcead6b4e67b7acb4b542a56a6c2784ff9930c2076ac8f3a5263002595b6e670d5
- SSDEEP
  
  192:gtlg8q/6gE+tlbr6okz1hDAWSGiRuCDW94Ny:M+Pi/Opr6jzLbSPS9yy
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  .reloc
- Size
  
  2KB
- MD5
  
  0997c172bb70dafb06dd0d5f220b8ef6
- SHA1
  
  b101e5b21ca18127584725fc3d875e1e31f260bf
- SHA256
  
  df1ae66a3d747156c00913596a4313eb8814fb627b21c424d3cb8baa257e27db
- SHA512
  
  a92d3ab2db442ff0a0c8c87ca2ac21dbac34bd355807a107942fcd02c4e8bf2a4e4746dd743033f3d16be797bc9a8b5a5d9380c83361435482e41af2336c4e02
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  .rsrc/BITMAP/103.bmp
- Size
  
  130B
- MD5
  
  66c3de780d6f3b1e5cd6cdcb8939acfe
- SHA1
  
  eb6d71711fc980f631f15ed6e57ba05edc9b5442
- SHA256
  
  ffabc504465994a50fed3bea2e5020ed46567be59cfa1628de1bdea07f220d27
- SHA512
  
  7ade82bea19cdcf100b56d97152aaf2fd92efa5b27ffbb3ce2c64f94ff6b7532b2bc55a351442f6aba92fed715741289deeb18ac56951b6390dad0a8ea70172e
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral11 behavioral12
- Target
  
  .rsrc/MANIFEST/1
- Size
  
  533B
- MD5
  
  3094519c13cf5858434d62962a7658c1
- SHA1
  
  e86d3c8fd3cc71adc15e9b51ef5b30cc0921e275
- SHA256
  
  35b7d03732d6f5834ca165995ac2985880c2ac0c13b0d9c60a23edc9e0ae11e3
- SHA512
  
  b2170898588303d5c858502fc12c8d8412b088bd1ed1b2d6242183db3e8e6c7de8f0c1480a292f481fae2b7ba189f16ceeb8ac63e8c2e9c79da0f1696fd37428
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  .rsrc/MENU/102
- Size
  
  18B
- MD5
  
  00067feb6f81dcd6320fa75d91cc78f4
- SHA1
  
  c1cee2e3274e9de4b959a8d97448949a4a185d93
- SHA256
  
  0717dfca923df0beca176f2cb47bdf066cd80d7365dac55184d1a6282bb81b26
- SHA512
  
  6ad6503fcd3f5f1d1ba67dd81fe9107be3f8c572328565343ba77e6bf77093d3bd533b473db557fb0c2f899777e745894a59775ea126d2df8a69609987755687
Score

1^/10
behavioral15 behavioral16
- Target
  
  .rsrc/version.txt
- Size
  
  1KB
- MD5
  
  f5e05799473eaeec6a40dda487925a9a
- SHA1
  
  636e77001343f36911f906e454d6945d57023c18
- SHA256
  
  23db4e0ec4f3ecfaeda132d3b3c2fde56ec487bbb459afede1f656493fbfc013
- SHA512
  
  72fed66bedc5cb6bd7c55400659a9adf1d89886a3eb1ed4b291a915e8b5ebb699540af7ad867de414b3838c2fd067089ceded766f9cd6ac57909a148bc336dba
Score

1^/10
behavioral17 behavioral18
- Target
  
  .text
- Size
  
  43KB
- MD5
  
  c717527fa73d21059748cc178628dc37
- SHA1
  
  37d7d49838f59db650b4fdd55f43b90be59446f2
- SHA256
  
  e6a8a41d1a128d0bb578187db7544c427941c9a4eac07ba83b69111a190a5631
- SHA512
  
  7771013e2493b5ed5b1e2016d55b3f55ebc362f45aac559cdccbad70f4f7cd4e2212a5ef6f8d5762ecde0244c2ff86eb65e53a2d3662b692066f27cfcc3eba06
- SSDEEP
  
  768:Ve+5tLcz6AVenNCdVKT/o+ySREAkGcMZ1h6GHHLVfMW/QP4:VTtLcWyeYd4//yEZc1GJf7/QP4
Score

3^/10
behavioral19 behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3

gh0stratdiscoveryrat

behavioral4

gh0stratdiscoveryrat

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20