gh0strat | 24e103dc1741236784f0a58391f8226ed7afd25d7868e16ebcbdbe045fe04fee

Analysis

max time kernel
36s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 05:55

Target

24e103dc1741236784f0a58391f8226ed7afd25d7868e16ebcbdbe045fe04fee.dll
Size

94KB
MD5

933da59d3e914f4137e80f8e169c5f8d
SHA1

5e12339cd9b7b37f240face4e1a9d3a698dd0eca
SHA256

24e103dc1741236784f0a58391f8226ed7afd25d7868e16ebcbdbe045fe04fee
SHA512

d7e35a6170a64b86b478608c1e48b8e95e9953005749a06ceeb07ed790843a1ddd6d5eccfd63cb7efefb92453fd81b81d498b92b885d295f77c32dc3b42e024a
SSDEEP

1536:FPU/q1TDnXo7vRAI9k1Lcd/nLLie+ccSpJfDJAp2ycnSr6hK:FPU/qxXo7iI9uLcxye+nSpJDJA7cnS2h

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1560-57-0x0000000010000000-0x000000001001A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1284	1560	WerFault.exe	26

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1560	1344	rundll32.exe	26
PID 1344 wrote to memory of 1560	1344	rundll32.exe	26
PID 1344 wrote to memory of 1560	1344	rundll32.exe	26
PID 1344 wrote to memory of 1560	1344	rundll32.exe	26
PID 1344 wrote to memory of 1560	1344	rundll32.exe	26
PID 1344 wrote to memory of 1560	1344	rundll32.exe	26
PID 1344 wrote to memory of 1560	1344	rundll32.exe	26
PID 1560 wrote to memory of 1284	1560	rundll32.exe	27
PID 1560 wrote to memory of 1284	1560	rundll32.exe	27
PID 1560 wrote to memory of 1284	1560	rundll32.exe	27
PID 1560 wrote to memory of 1284	1560	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24e103dc1741236784f0a58391f8226ed7afd25d7868e16ebcbdbe045fe04fee.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\24e103dc1741236784f0a58391f8226ed7afd25d7868e16ebcbdbe045fe04fee.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 260
    3⤵
    - Program crash
    PID:1284

memory/1560-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1560-57-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download