gh0strat | 22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab

Analysis

max time kernel
58s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 17:38

Target

22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe
Size

348KB
MD5

6253712d216be356f2ec65596e2228e0
SHA1

58a8491da2cbfee7556cfe02a0a78bc4f5df8838
SHA256

22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab
SHA512

5cc5646d815660d377367a0539aed7d0a741f3be57335e9af1c24b0f785e55b572dac9fe99c810ddf8b4a1419c7bf79b779c64d471894af73430d6a227e682c1
SSDEEP

6144:MJueTkwOwoWOQ3dwaWB28edeP/deUv80P80Ap8UGwoTGHZOWJkqd0K4rG7eVT0SC:ouLwoZQGpnedeP/deUe1ppGjTGHZRT0u

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1352-57-0x0000000000400000-0x000000000042F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1352	22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1444	1352	WerFault.exe	12

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1444	1352	22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe	27
PID 1352 wrote to memory of 1444	1352	22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe	27
PID 1352 wrote to memory of 1444	1352	22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe	27
PID 1352 wrote to memory of 1444	1352	22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe	27
PID 1352 wrote to memory of 1444	1352	22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe	27
PID 1352 wrote to memory of 1444	1352	22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe	27
PID 1352 wrote to memory of 1444	1352	22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe	27

C:\Users\Admin\AppData\Local\Temp\22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe
"C:\Users\Admin\AppData\Local\Temp\22616e2fea70fdc5c91b0ec6d0ecdf33fa0c160eed993b307532e24f2965e2ab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 260
  2⤵
  - Program crash
  PID:1444

\Users\Admin\AppData\Local\Temp\gok953E.tmp

Filesize
172KB

MD5
459671c1ed1722e3b41a05e7b4298e8f

SHA1
8ca96d506e2b02096ced8846ced9a821b46e9243

SHA256
782a9827e7c3425c7fb396b89adc04e250501ef64e525cfd699e5a7e657f644b

SHA512
72b0cc3289c475fc0fef25b0c45c15f837c89c33d9351e13eec20ef1a4df26461cf6f8d7adf35adde20f2808ed95d6d538c6b95c52616afb1751e318e0f901c7

Download Submit
memory/1352-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1352-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-58-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1352-59-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1352-60-0x00000000004A0000-0x0000000000513000-memory.dmp

Filesize
460KB

Download
memory/1352-61-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/1352-62-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download