gh0strat | 844d5e23965f603d2225299f9a1a4fca64f6806b17e43eab9a87efc496d8294b

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 04:37

Target

844d5e23965f603d2225299f9a1a4fca64f6806b17e43eab9a87efc496d8294b.dll
Size

135KB
MD5

78a2729a1a5e96ce499678aa9f7bbfbc
SHA1

480d6e0a09b6b7d37651dfe59d94a25af44bf709
SHA256

844d5e23965f603d2225299f9a1a4fca64f6806b17e43eab9a87efc496d8294b
SHA512

259c4ea2d88d07bfe83015718b8f959c202ff4b625f98aabacea9c5b6d1d4f097a0e0f6f2bef65abce61b69409e9d82ac26331821b137d291667d5e291efc313
SSDEEP

3072:0pF1ucA/Py2q2oGSe0cDnT0QDqsx0Y9BsqY/PNgu/zM:0pF1A/PyV2oGSe0A3q8v9BsqCNZI

Score

10^/10

gh0strat rat upx

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4940-133-0x0000000010000000-0x0000000010023000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4940-133-0x0000000010000000-0x0000000010023000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4940	1964	rundll32.exe	82
PID 1964 wrote to memory of 4940	1964	rundll32.exe	82
PID 1964 wrote to memory of 4940	1964	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\844d5e23965f603d2225299f9a1a4fca64f6806b17e43eab9a87efc496d8294b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\844d5e23965f603d2225299f9a1a4fca64f6806b17e43eab9a87efc496d8294b.dll,#1
  2⤵
  PID:4940

memory/4940-133-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download