gh0strat | f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467

Analysis

max time kernel
190s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 13:09

Target

f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe
Size

6.4MB
MD5

27a2c6683f5bf36f9eca84b69aa522b7
SHA1

6ea61de1d47fad027a9adfd3cc9768ebf4514c22
SHA256

f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467
SHA512

e33633cd16697c56fd8472b5ea5353cf33286028589f16c01b677b3395da80c66aef7ed43ec225ed3b1f14779f59d8587790321701eb1252370e0a501d951bb5
SSDEEP

196608:EXCcGV7DTNWbwb8ABOLAvcaYnx++3M1KqovhXKmplB:tcob8AILxDnxhHqElB

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/856-132-0x0000000000400000-0x0000000000AB0000-memory.dmp	family_gh0strat
behavioral2/memory/856-133-0x0000000000400000-0x0000000000AB0000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe

pid	process
856	f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe
856	f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe

C:\Users\Admin\AppData\Local\Temp\f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe
"C:\Users\Admin\AppData\Local\Temp\f31fdd5e13f4fe9ec6de8989382d9baae2ce196e7699b00d3ab8dd2bb4786467.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:856

memory/856-132-0x0000000000400000-0x0000000000AB0000-memory.dmp

Filesize
6.7MB

Download
memory/856-133-0x0000000000400000-0x0000000000AB0000-memory.dmp

Filesize
6.7MB

Download