BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Gh0st RAT

56
Global rank
55 infographic chevron month
Month rank
35 infographic chevron week
Week rank
349
IOCs

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Remote Access Trojan
Type
China
Origin
1 January, 2008
First seen
13 April, 2024
Last seen
Also known as
Ghost RAT

How to analyze Gh0st RAT with ANY.RUN

Remote Access Trojan
Type
China
Origin
1 January, 2008
First seen
13 April, 2024
Last seen

IOCs

Hashes
ee300105ef93ad6e2c8f08165b58a485c647bc051f4d9f82cd7c34e5516c774b
4ac1ea64f63b19d29c138b48dbf50a5dac53b7388deae7667f8ad2ef6a196cb0
6c4623fbc8526ee94a9e54f339dbba9b7fd980ff3453df9f88c035b5637cb886
cd4bce722ef39ea83da4a86f6e89fb75327546c7c5d6308bad256c23587c1877
047aaca9c0327f05dad974cdbea7a8185dd14d188e23e2326c26eb4dae19dd4c
5103dc9936706bbf36c5f3f6f3a8612899a80bcebd55be606c22162f8d12af73
8c4738743f3d07c792e77122a2f8a9851c7297be1cafa421bd31e836422163c3
a4777249da06e8fc00eba363e202b6cef9ca42cef99b33cb471bc6053f22fe74
64aa5070c73e39d9368213964d16226c5f5167bb1e5deee1feddab1d725b7e44
b0feb7383d3700e895c05032710748479d9ffdf30aeaaf6afc5a8187b40b7f8c
aee196ce19408840df433dc195719cdb35ea9a15827b31a9a2c64edd41d26c42
fda0d889a591e6fe3c566716f804d6a16ad485afe893480f805476b759ced003
de96d176a11b68f4ae9d676ad3c86fa2b066ec87853235b60fa6103710e7e1b2
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
d05821af6ec028f7f37738d83f4628e7dfbee77f7603478a5c13da68744794d9
8d415b3fc667a38a1c76fcee05b02247300c82264268376f88d0cfb3b4eff51f
99eb4b1ee171e79090e52783da2cb71c931102eb5ebeaf08a53a79d9c6b2ab09
08c54f933bb146f2382f8a9a4064ad3a07a47c7bf03f8807740250e31e6b2eb6
c9ef2a3ae38154b1dacc2724d2b0e097e893c7617602969fcf3f56abe5d96d72
05ad1faf8be8e4b65cde620deab7e1dc9a5b6ca54851fa77d4a9add29b15857e
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 166
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 553
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 301
comments 0

What is Gh0st RAT malware?

Gh0st RAT is one of the long-standing members of the global threat landscape. Launched in 2008, it remains in full operation to this day. The RAT part in the malware’s name stands for Remote Access Trojan, meaning that it provides attackers with the capacity to control the victim’s machine and manipulate it.

The original developers of Gh0st RAT were from China. However, due to the open-source nature of its code, criminals from many other countries have created their iterations of the malicious software. As a result, there are many versions of this trojan with varying sets of features.

If you're interested in exploring variants of Gh0st, we recommend reading our article about Gh0stBins, Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery.

The most notable aspect of Gh0st RAT is that it has been utilized by criminal groups linked to the Chinese government. For instance, in 2009, the malware was used to target Tibetan organizations. There were also instances of attacks on businesses in various fields, including healthcare and banking.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Technical details of the Gh0st RAT malicious software

The standard set of features of Gh0st RAT includes the following:

  • Mouse and keyboard manipulation: The malware can record the keys that a user presses on their keyboard, as well as the movements of the mouse. Thus, attackers can discover passwords and other credentials used by the victim. It also can disable these devices.
  • Screenshot and webcam capturing: Gh0st can take a picture of the user's computer screen and webcam. This is often employed by threat actors to conduct surveillance.
  • Microphone recording: The malware is also capable of listening to the user's microphone.
  • File system access: The RAT can transfer files between the infected computer and its remote server. Subsequently, it can both steal sensitive information and drop additional malware, as well as execute it and run programs or scripts.
  • System reboot: It can restart the system to gain persistence and shut it down completely to prevent the victim from attempting to mitigate the threat.

To persist on the system, Gh0st RAT adds registry entries that allow it to automatically execute itself on every system startup. The malware can scan the system to determine if it is running inside a virtual machine and if antivirus software is installed. These actions help it hide its behavior from security analysts and avoid detection. It also utilizes encryption to obfuscate its functions.

Essentially, Gh0st operates similarly to other RAT malware families, such as njRAT and DCrat.

Execution process of Gh0st RAT

By uploading a sample of Gh0st RAT to ANY.RUN, an interactive sandbox for malware analysis, we can observe its malicious processes in detail and collect IOCs.

The execution process of the Gh0st Stealer typically begins with a user inadvertently downloading or executing a malicious file, often disguised as legitimate software or attached to phishing emails. Once executed, the malware establishes a connection to a remote command and control (C2) server, allowing the attacker to remotely control the infected system. This malware utilizes various system tools for execution, such as CMD in our example.

Gh0st Stealer then begins its data theft operations, scanning the system for sensitive information such as usernames, passwords, and financial data. Captured data is exfiltrated back to the attacker's server, where it can be used for malicious purposes or sold on the dark web. The malware may also maintain persistence on the compromised system, allowing for continued data theft and remote control capabilities. In our task stealer use steganography techniques in order to prevent the detection of hidden information – It hides an encrypted DLL file inside a downloaded JPEG image.

Gh0st process tree shown in ANY.RUN Gh0st process tree demonstrated in ANY.RUN

Distribution methods of the Gh0st RAT malware

As mentioned earlier, Gh0st RAT is often used in targeted campaigns against government organizations and businesses. In order to carry out them successfully, attackers implement the method of spear phishing.

This involves composing emails that are similar to those sent by legitimate entities to trick the victim into downloading a malicious attachment or clicking on an unsafe link.

Conclusion

Gh0stRAT is a veteran RAT with an open-source code that continues to be used by both individuals and organized groups in attacks around the world. Due to the fact that phishing campaigns constitute the key starting point of infection, businesses need to exercise extra vigilance when handling suspicious emails.

By analyzing all files and emails from unknown senders in ANY.RUN, companies can quickly identify whether they were targeted by criminals. The service offers conclusive verdicts on the malicious activities of samples and generates comprehensive reports, containing IOCs and configs to ensure future detection.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy