gh0strat | 6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2

Analysis

max time kernel
11s
max time network
52s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 22:55

Target

6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll
Size

133KB
MD5

0c4cc070573d6f909d08b6cd5d3695a3
SHA1

aa05eb797e2f4498f196dd258525028182d8b9d9
SHA256

6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2
SHA512

6eb75e18503bf5a61d8cc6eed0c88c430ea45ae158bf394c042693b784ce4451fe51d378b446c162ea7dbdefa719be1aea9235b39e664d527911d814004c5d41
SSDEEP

3072:bixrcYyNNBxIf58d6UuSMhXk22T94oz7vEEZzcEtJO:aANBxIxh0u4TSg7vECzcu0

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000013473-56.dat	family_gh0strat
behavioral1/files/0x000e000000013473-57.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
1552	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Oklm\Tklmnopqr.jpg	rundll32.exe
File created	C:\Program Files (x86)\Oklm\Tklmnopqr.jpg	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1004	1452	rundll32.exe	17
PID 1452 wrote to memory of 1004	1452	rundll32.exe	17
PID 1452 wrote to memory of 1004	1452	rundll32.exe	17
PID 1452 wrote to memory of 1004	1452	rundll32.exe	17
PID 1452 wrote to memory of 1004	1452	rundll32.exe	17
PID 1452 wrote to memory of 1004	1452	rundll32.exe	17
PID 1452 wrote to memory of 1004	1452	rundll32.exe	17

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1004

\??\c:\program files (x86)\oklm\tklmnopqr.jpg

Filesize
82KB

MD5
f6c20ed7824be3156672a654beb1b694

SHA1
eb416e5f3839b22ba6e220a7b9d48f756a737634

SHA256
14b7edd5fdc7bd3520cf277d5cd418d4eb968531c7934c7a23c854586b56a227

SHA512
552ffcbc58785ce0186a5edfa9fb6d0aa5de5b0fc29252776b270425f9fc7965f3959ec957f40dc1eb18f7124420cbb34d75ee7f79edea4066f28216aa48417c

Download Submit
\Program Files (x86)\Oklm\Tklmnopqr.jpg

Filesize
89KB

MD5
225b2570a7f66f55d7265cb499b34f56

SHA1
9c29456481860fa160f4841869ab8fcb18e3c182

SHA256
c344d94fe0a9b0f07e7f38acfe13eab4898005838317054615753d01c2cf1e14

SHA512
9e433341e9d29aaedba59ae370f9908340367c9615a146fb8e8cc04ed01d12506014fda07985a124f0dd5d843892951ca5b274fe9833f971ff5b124d275c0800

Download Submit
memory/1004-55-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download