gh0strat | 1e4873c6eb87a161fda91cbc2d3679ed32f3290240684316d25907f5fe63129e | Triage

Submit
Reports

Overview

overview

Static

static

3

36fb64e01d...18.exe

windows7-x64

36fb64e01d...18.exe

windows10-2004-x64

Sharing

General

Target

36fb64e01dd35fa278ed552091326834_JaffaCakes118
Size

760KB
Sample

241011-1r5qmazhrr
MD5

36fb64e01dd35fa278ed552091326834
SHA1

649285f638fc84b63de10068e9f2ec4006a81099
SHA256

1e4873c6eb87a161fda91cbc2d3679ed32f3290240684316d25907f5fe63129e
SHA512

869d78c378c9132bfb25a56ee63e32f3ff842c55c2497f410a9b651934555109573f12a8f3d458a58d37bc52ec52c8bd6e10ad96b442d9e7490c254846510db9
SSDEEP

12288:SIj0cCW6PLHu/UVdi6vTYy/j6f34aBUrI0d4QAmxyu0w:1YcCDu4iNE6f+rI0EO

Score

10^/10

gh0strat discovery evasion persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

36fb64e01dd35fa278ed552091326834_JaffaCakes118.exe

Resource

win7-20240903-en

gh0strat discovery evasion persistence rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

36fb64e01dd35fa278ed552091326834_JaffaCakes118.exe

Resource

win10v2004-20241007-en

gh0strat discovery evasion persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  36fb64e01dd35fa278ed552091326834_JaffaCakes118
- Size
  
  760KB
- MD5
  
  36fb64e01dd35fa278ed552091326834
- SHA1
  
  649285f638fc84b63de10068e9f2ec4006a81099
- SHA256
  
  1e4873c6eb87a161fda91cbc2d3679ed32f3290240684316d25907f5fe63129e
- SHA512
  
  869d78c378c9132bfb25a56ee63e32f3ff842c55c2497f410a9b651934555109573f12a8f3d458a58d37bc52ec52c8bd6e10ad96b442d9e7490c254846510db9
- SSDEEP
  
  12288:SIj0cCW6PLHu/UVdi6vTYy/j6f34aBUrI0d4QAmxyu0w:1YcCDu4iNE6f+rI0EO
Score

10^/10

gh0strat discovery evasion persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratdiscoveryevasionpersistencerat

behavioral2

gh0stratdiscoveryevasionpersistencerat

© 2018-2025

Terms | Privacy