gh0strat | 6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 22:55

Target

6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll
Size

133KB
MD5

0c4cc070573d6f909d08b6cd5d3695a3
SHA1

aa05eb797e2f4498f196dd258525028182d8b9d9
SHA256

6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2
SHA512

6eb75e18503bf5a61d8cc6eed0c88c430ea45ae158bf394c042693b784ce4451fe51d378b446c162ea7dbdefa719be1aea9235b39e664d527911d814004c5d41
SSDEEP

3072:bixrcYyNNBxIf58d6UuSMhXk22T94oz7vEEZzcEtJO:aANBxIxh0u4TSg7vECzcu0

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022de4-133.dat	family_gh0strat
behavioral2/files/0x0007000000022de4-134.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
3076	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Oklm\Tklmnopqr.jpg	rundll32.exe
File created	C:\Program Files (x86)\Oklm\Tklmnopqr.jpg	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3536	4396	rundll32.exe	77
PID 4396 wrote to memory of 3536	4396	rundll32.exe	77
PID 4396 wrote to memory of 3536	4396	rundll32.exe	77

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b803397f4a333187411141277705e5bafcd3e24e96338c869dd0939236601a2.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3536

C:\Program Files (x86)\Oklm\Tklmnopqr.jpg

Filesize
17.8MB

MD5
f7709cd9a500834a9f76b8b092faa41c

SHA1
48cda3eafeba3b32f77f88725ad83c2eb132cb55

SHA256
c528ab2fcaff862d21711e9ae22feb6cf5074fc6b6928276c96542f0847cbbd4

SHA512
a55a86fb190d6a3c7905c671d296d37278c28c524334b4e51297eec5d4032c38590b680c8e3e78a85355fb3f6be097fafed024c4b65c6a3e125776221c12ad93

Download Submit
\??\c:\program files (x86)\oklm\tklmnopqr.jpg

Filesize
17.8MB

MD5
f7709cd9a500834a9f76b8b092faa41c

SHA1
48cda3eafeba3b32f77f88725ad83c2eb132cb55

SHA256
c528ab2fcaff862d21711e9ae22feb6cf5074fc6b6928276c96542f0847cbbd4

SHA512
a55a86fb190d6a3c7905c671d296d37278c28c524334b4e51297eec5d4032c38590b680c8e3e78a85355fb3f6be097fafed024c4b65c6a3e125776221c12ad93

Download Submit