gh0strat

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_98e2a79530ee07c68cbe432e2cb64e94
Size

6.4MB
Sample

250330-tgdqtsvjt9
MD5

98e2a79530ee07c68cbe432e2cb64e94
SHA1

6951f4157bc92c8bcc5786dc173ad0fc829663b1
SHA256

2fc4ee66a3a833d7f32d5d16d5ef1e21ff5545462a3293b815c564b126606799
SHA512

02b6ca564be8865a606841d78db8dfc8830fdab0ec9205827053807ffa3f1295951499e675954a95236f022dd5406b5aee41e6567a614bdabbc1d0169fe1eb32
SSDEEP

196608:rqNHNXjeqHrj2a0cdhG1iYMOYRtfcx3wLi3tOMX6ckN9S:rqz9LSXcbG4OmY0i39XqNg

Score

10^/10

Malware Config

Targets

- Target
  
  西游网络.exe
- Size
  
  6.4MB
- MD5
  
  736fc596bbb60dd0c8a89a7aeeb032e6
- SHA1
  
  76fcc1512ea6926f6e6fa418f4fe6b7573e9257e
- SHA256
  
  70e640b36104a6797f3df43616e57bcb951fc90515028964e94fa9934698cfc4
- SHA512
  
  9ad5d46cff24ac1010e66f4f2984d60add687fe4afecb58025021e9e4d861c40c9519eba1b5a11c1c810f9df93f1d5b4c19b83dc7961762eb0e6f36dda2f973c
- SSDEEP
  
  196608:3qNHNXjeqHrj2a0cdhG1iYMOYRtfcx3wLi3tOMX6ckN9h:3qz9LSXcbG4OmY0i39XqNj
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  LYdlq.exe
- Size
  
  138KB
- MD5
  
  c7a8c4ebf18c5d5b4c06bdfdacd4c8f0
- SHA1
  
  d25db0d0a267dd753ce85ab27d23f11545852679
- SHA256
  
  7a21021900e30cfc62c447a8407301cd98f659e1b453b0070b2ee653279553c0
- SHA512
  
  a2093d2bdd09121b57dc1561cd8c55730353b81c8474d0676bf6f8ecf7f5f5725814f3fa45b6801eb967d52a957b53c7db1ba5e954abd94cfe4c55245b2dcaab
- SSDEEP
  
  3072:PW62gp7fl2fHrV3hUJ654M8v27qb02QxH21MUW:+ZMDl+rVwlMuy92QU2R
Score

10^/10

gh0strat defense_evasion discovery persistence rat
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  lsass.exe
- Size
  
  125KB
- MD5
  
  1afb1f75153d736af51789988f9e83aa
- SHA1
  
  fabc13289ddce2ed0a851149feb1b7511c986b4c
- SHA256
  
  c52884d63cadf9dc9a8ff4b66a7bcdd426e5bbcecc0873c4f28488bba3428c2d
- SHA512
  
  bd9aa0ff6d64e35f56e6e9377f2812c4586b257a7582753abad25d99b24d6d77d4fbd36c7366a110fbbaa674326b3131b87914e7179fe2d9d64915b99b1d403f
- SSDEEP
  
  3072:RQhZkOLfuDg0PtOqzKONqsEykRLSDYpFweWt6HY:xOFStZzKqqsE6a/4
Score

10^/10

gh0strat discovery rat upx
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Gh0strat family
  gh0strat
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6
- Target
  
  .exe
- Size
  
  6.4MB
- MD5
  
  b65bbb59533176ff10083328ddaa18c7
- SHA1
  
  9f870ba135c4244db068c0bff7f875e904e535f0
- SHA256
  
  e0decd5e242a276ca03092e53e28f0a5d01741bfa3ba33170f1e7fa417b35618
- SHA512
  
  8dcab4b6dccb736f1bd55b3406b1598efa37e90153c71fb896755df9d65cde27ffcb7f01d2ee47edf572cd1cf36945d92050fe437a663649393e4294a4d18766
- SSDEEP
  
  98304:rQTzteK9NvJiP2Zje8tNJj669cERHEkN+nCFAD7aSwIfeaG4u6r:M/te2vJiP288tUdkSCFADOQe56r
Score

7^/10

discovery spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral7 behavioral8