gh0strat | 6d5506afd176ec21b7400014e307121697b4c0b36c087aeca3403607cb29db12

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-09-2022 22:56

Target

6d5506afd176ec21b7400014e307121697b4c0b36c087aeca3403607cb29db12.dll
Size

114KB
MD5

df96496f94e7625054d0c8945a83cfe5
SHA1

5383f91cf9903b730e0df785d0e800eeaa1332ad
SHA256

6d5506afd176ec21b7400014e307121697b4c0b36c087aeca3403607cb29db12
SHA512

bde86010dae78b56851663db890fecd58fbdece70b164a7f2ac0f3b90f170b78898ae87d5cbe27dc497ab6114d09685bd826d8c30e76731098b5725ec40d41c2
SSDEEP

1536:DAWp+g5LW7yM0r5BsrzKbpsV29Wttc8ElfIN+uBYk/ifSg//:EWP5UyMwb00N9WttHEdIN+uSk/ifSE

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012326-56.dat	family_gh0strat
behavioral1/files/0x000e000000012326-57.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
1704	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Iefg\Nefghijkl.pic	rundll32.exe
File opened for modification	C:\Program Files (x86)\Iefg\Nefghijkl.pic	rundll32.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1008	1076	rundll32.exe	28
PID 1076 wrote to memory of 1008	1076	rundll32.exe	28
PID 1076 wrote to memory of 1008	1076	rundll32.exe	28
PID 1076 wrote to memory of 1008	1076	rundll32.exe	28
PID 1076 wrote to memory of 1008	1076	rundll32.exe	28
PID 1076 wrote to memory of 1008	1076	rundll32.exe	28
PID 1076 wrote to memory of 1008	1076	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d5506afd176ec21b7400014e307121697b4c0b36c087aeca3403607cb29db12.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d5506afd176ec21b7400014e307121697b4c0b36c087aeca3403607cb29db12.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1008

\??\c:\program files (x86)\iefg\nefghijkl.pic

Filesize
5.0MB

MD5
1a16ff5fe72352f74cce182a0fe2a4fd

SHA1
746aa965a3147b056c6b068789586f19e6b8eafe

SHA256
9a0ef38b37ed95283eea3534296164f25a571910e2f42aed507b086e369e2575

SHA512
023675c832e23bb0b7cb62adad118f4d1bac8d738cd9083715a8f21170ce739edadde019fb3b0b8f38000309d951ba7c905856492623c8cc7bccad71c8f49542

Download Submit
\Program Files (x86)\Iefg\Nefghijkl.pic

Filesize
5.0MB

MD5
1a16ff5fe72352f74cce182a0fe2a4fd

SHA1
746aa965a3147b056c6b068789586f19e6b8eafe

SHA256
9a0ef38b37ed95283eea3534296164f25a571910e2f42aed507b086e369e2575

SHA512
023675c832e23bb0b7cb62adad118f4d1bac8d738cd9083715a8f21170ce739edadde019fb3b0b8f38000309d951ba7c905856492623c8cc7bccad71c8f49542

Download Submit
memory/1008-54-0x0000000000000000-mapping.dmp

Download
memory/1008-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download