gh0strat | 81d464cbf3b574bfd33e3dc18644fa2946dc567654a6e83bfe23b78594bf78d7 | Triage

Submit
Reports

Overview

overview

Static

static

3

b987ed2106...18.exe

windows7-x64

3

b987ed2106...18.exe

windows10-2004-x64

Sharing

General

Target

b987ed2106872f4561d7d2edb2eb5876_JaffaCakes118
Size

53KB
Sample

240822-3qy8katgka
MD5

b987ed2106872f4561d7d2edb2eb5876
SHA1

9e467466a772ba5c8134210526e0c261e6b0f707
SHA256

81d464cbf3b574bfd33e3dc18644fa2946dc567654a6e83bfe23b78594bf78d7
SHA512

47c233c2733556ac2b3f405d6f70546a5f3ae6d5fa8a193888bfda8b9b384d1f529887a620b8f4467d03c14a4b66069d636eb878730a5110a833dfc8826c0a5f
SSDEEP

1536:obeMDyISB9r77bqTP43fN3JIJkmtuUJ+XGRHpiHg9:obNDsn7ek3fUJkAJ+XmH9

Score

10^/10

gh0strat discovery persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b987ed2106872f4561d7d2edb2eb5876_JaffaCakes118.exe

Resource

win7-20240705-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

b987ed2106872f4561d7d2edb2eb5876_JaffaCakes118.exe

Resource

win10v2004-20240802-en

gh0strat discovery persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  b987ed2106872f4561d7d2edb2eb5876_JaffaCakes118
- Size
  
  53KB
- MD5
  
  b987ed2106872f4561d7d2edb2eb5876
- SHA1
  
  9e467466a772ba5c8134210526e0c261e6b0f707
- SHA256
  
  81d464cbf3b574bfd33e3dc18644fa2946dc567654a6e83bfe23b78594bf78d7
- SHA512
  
  47c233c2733556ac2b3f405d6f70546a5f3ae6d5fa8a193888bfda8b9b384d1f529887a620b8f4467d03c14a4b66069d636eb878730a5110a833dfc8826c0a5f
- SSDEEP
  
  1536:obeMDyISB9r77bqTP43fN3JIJkmtuUJ+XGRHpiHg9:obNDsn7ek3fUJkAJ+XmH9
Score

10^/10

discovery gh0strat persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
  persistence
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

Terminal Services DLL

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

gh0stratdiscoverypersistencerat

© 2018-2025

Terms | Privacy