gh0strat | 1e7bc856243488e3fda36ddc82d24c5e7d9389a1ac90f9b772aa1fbbeb4eddd3

Analysis

max time kernel
0s
max time network
0s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e7bc856243488e3fda36ddc82d24c5e7d9389a1ac90f9b772aa1fbbeb4eddd3.exe
Size

1.2MB
MD5

2c347048f631d7c23aacc0a3b83c6b3b
SHA1

d5b08da1fcc3837bfb1c9bfa76e939eca5f2cf5b
SHA256

1e7bc856243488e3fda36ddc82d24c5e7d9389a1ac90f9b772aa1fbbeb4eddd3
SHA512

9924ae119230ffaa05ee36cfeda9116dbc80854d68c8323db6776be195b95c4dd9c9181881639a9f22a587164958908285e6d41f2bdfd3494838acb5fb9ca993
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJti/:WIwgMEuy+inDfp3/XoCw57XYBwK/

Score

10^/10

gh0strat discovery rat upx vmprotect

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d63-15.dat	family_gh0strat
behavioral1/memory/2884-24-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2816-0-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/2816-1-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-24-0x0000000010000000-0x00000000101BA000-memory.dmp	upx

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
560	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
560	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1e7bc856243488e3fda36ddc82d24c5e7d9389a1ac90f9b772aa1fbbeb4eddd3.exe
"C:\Users\Admin\AppData\Local\Temp\1e7bc856243488e3fda36ddc82d24c5e7d9389a1ac90f9b772aa1fbbeb4eddd3.exe"
1⤵
PID:2816

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ghiya.exe

Filesize
136KB

MD5
c79244058030c9e465fc0157f1e63f3d

SHA1
e7d7abedf710b6618e8ae2b6b2b39e03cdff37cc

SHA256
4a84f74d03fa9d79b10a81ef86b7a750510ff1a7b9218976d13ebeaa1459923a

SHA512
bfe4218d088f55904634a7c93119bdbf7a7f2c91d8b2c815982722645bac03df5f5d54a1bbbbf9cab100d140210f2b8fb68b5ee53035e6950bc0594139be7484

Download Submit
C:\Windows\SysWOW64\Ghiya.exe

Filesize
128KB

MD5
edb17c05a867e1be71b43b0c8330f356

SHA1
37f8d0f20990e3b506d8a71acfe8a1126b55e6f2

SHA256
d44a7ae217141d812da90ec27e87f2d384fb086b414e1ace3cc39cc5ccf90e03

SHA512
d51be4ed582f68b86d23b012a7d0fd8203b65cb6e6e41229c2f7eb1361ae6cfdcf881f1fd7aed9c2705efb19ccf4c2f23da76303ec086483a7c56dc20be76836

Download Submit
C:\Windows\SysWOW64\Ghiya.exe

Filesize
85KB

MD5
2d0eeb8c13141831e049972f4dc90479

SHA1
d3012cb5412000a81994e0c39da6927bb2f7c6f9

SHA256
b64035266b3b08ce9e157e548a3130edc676d8fbe5aa161881ac2c8d75108ae1

SHA512
349720e089cf4bcb7d68280cd682b37ecbdf4a28a1f116f7e803024cf3cbe8415b41a0ed661289bb46de28ea9927c6acfa68f6dbddb7ca3775c11c12745fbef2

Download Submit
\Windows\SysWOW64\259419975.txt

Filesize
49KB

MD5
1883a41328509b0ac1d976bd3227062f

SHA1
f29eb9d6fe33b64dce5ff53b8ad967b2aa25df9f

SHA256
6f0158c1bf08af048a0c7af9cf0b7182ba42fe81a2ebdc2a33f7a065c60a5b71

SHA512
4ddcd99a8651f05316dfee452b1c3425a04e13ba37ad5b4ec596d76c6f0d1c199a0239b5b3895d1f7c44779bd57cee019da5a92c5806aed5055428714a931f03

Download Submit
memory/2816-0-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2816-1-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2884-24-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download