General
-
Target
761a9722d17a995cdb504aa2827e526c1ef7b390e2277ab2fb0f85b0737abe4e
-
Size
1.0MB
-
Sample
241115-hs782azmfw
-
MD5
0f055a69a984adaf9b645caf78036c97
-
SHA1
f42623384d44e2387c52295874a2a7f1cd8ce929
-
SHA256
761a9722d17a995cdb504aa2827e526c1ef7b390e2277ab2fb0f85b0737abe4e
-
SHA512
6faa6d3cf7d29e5c42531f41fa599d4e705fb5fb58f3b2c515e35ba366be9cb5ec80fb8b1a775e8dfe0ad1a07cf21bc909b26faed2cf73923d16959d637479b2
-
SSDEEP
12288:R1ec/eFqGwf63oXk2yFqR+lIaaiEOqN/L0FgEhBCpJJNn8/MPr4OsnM:be7qGK63o024qR+aaHEx/wFvUPEOs
Malware Config
Extracted
gh0strat
116.62.87.138
Targets
-
-
Target
761a9722d17a995cdb504aa2827e526c1ef7b390e2277ab2fb0f85b0737abe4e
-
Size
1.0MB
-
MD5
0f055a69a984adaf9b645caf78036c97
-
SHA1
f42623384d44e2387c52295874a2a7f1cd8ce929
-
SHA256
761a9722d17a995cdb504aa2827e526c1ef7b390e2277ab2fb0f85b0737abe4e
-
SHA512
6faa6d3cf7d29e5c42531f41fa599d4e705fb5fb58f3b2c515e35ba366be9cb5ec80fb8b1a775e8dfe0ad1a07cf21bc909b26faed2cf73923d16959d637479b2
-
SSDEEP
12288:R1ec/eFqGwf63oXk2yFqR+lIaaiEOqN/L0FgEhBCpJJNn8/MPr4OsnM:be7qGK63o024qR+aaHEx/wFvUPEOs
Score10/10-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1