gh0strat | fdd31379f377aa417dd3bf8950bbdca7d021ef8d45b61a450d1ab2bdabd9e977 | Triage

Submit
Reports

Overview

overview

Static

static

3

880ce9982e...18.exe

windows7-x64

880ce9982e...18.exe

windows10-2004-x64

Sharing

General

Target

880ce9982e3158e07734f267a74ab877_JaffaCakes118
Size

871KB
Sample

241102-13j83axckp
MD5

880ce9982e3158e07734f267a74ab877
SHA1

73dbc461b9b8c20b8218859a050c2496be7dba5a
SHA256

fdd31379f377aa417dd3bf8950bbdca7d021ef8d45b61a450d1ab2bdabd9e977
SHA512

30460fd533da4ed19c5ce715f077f21b8395e90bafa52a43b4ffa02145b47aca545bf32fb944e24ecea16cd64dff5a6f617516b21f288ae10e5eaccdf2fee259
SSDEEP

24576:K/uc//////ahbQkHZoFhdgTZP3Jk4CDS7ZX+:rc//////ahRHZoFATZP3Jk3SFX+

Score

10^/10

gh0strat modiloader discovery rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

880ce9982e3158e07734f267a74ab877_JaffaCakes118.exe

Resource

win7-20240903-en

gh0strat modiloader discovery rat trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

880ce9982e3158e07734f267a74ab877_JaffaCakes118.exe

Resource

win10v2004-20241007-en

gh0strat modiloader discovery rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  880ce9982e3158e07734f267a74ab877_JaffaCakes118
- Size
  
  871KB
- MD5
  
  880ce9982e3158e07734f267a74ab877
- SHA1
  
  73dbc461b9b8c20b8218859a050c2496be7dba5a
- SHA256
  
  fdd31379f377aa417dd3bf8950bbdca7d021ef8d45b61a450d1ab2bdabd9e977
- SHA512
  
  30460fd533da4ed19c5ce715f077f21b8395e90bafa52a43b4ffa02145b47aca545bf32fb944e24ecea16cd64dff5a6f617516b21f288ae10e5eaccdf2fee259
- SSDEEP
  
  24576:K/uc//////ahbQkHZoFhdgTZP3Jk4CDS7ZX+:rc//////ahRHZoFATZP3Jk3SFX+
Score

10^/10

gh0strat modiloader discovery rat trojan
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gh0stratmodiloaderdiscoveryrattrojan

behavioral2

gh0stratmodiloaderdiscoveryrattrojan

© 2018-2024

Terms | Privacy