Extracted

• • Target

    22c8fc9c7ab6759e665a4e9e8bdd2904538ab352038537085f643295b6f33724

  • Size

    318KB

  • MD5

    78f9918d06e51b5b4e86e241c95bdbc6

  • SHA1

    fd2331b18c165e2771ebd20d83fd671d9a0a6f7d

  • SHA256

    22c8fc9c7ab6759e665a4e9e8bdd2904538ab352038537085f643295b6f33724

  • SHA512

    cd7730cc3de8417303f9b9ff675281f17ab3e36b76a6c5d81f70e822f05c74d15727df96c6d7af7609b9fa9895b5788cebc6df64abaa86b6ffb1cb2801cbaa1a

  • SSDEEP

    6144:ORoSgWbzYds0SfxsTxt3YeWH8k+p+Nj8DmV9Z3+jH:RSfbzc8GrYdcb88Dw+z

  Score

  10^/10

  gh0stratbootkitdiscoverypersistenceratspywarestealerupx

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • Gh0strat family

    gh0strat

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2