gh0strat | 86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c

Analysis

max time kernel
55s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 06:22

Target

86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe
Size

332KB
MD5

627d21f20805f6585622a96b9fc8b17d
SHA1

b55a5c572d5318410bd66f19590dce45bfe3be38
SHA256

86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c
SHA512

9a59119891d42e6983a8aa6ce6502e51fd140fbf5236bdbb4798e8362809569a5bb33d259ee8f1e1fa9bb42d597545a3841a9fe26c624cfae5fde251b31d4d25
SSDEEP

6144:RiT3IWB0AL7tDJ5cp34EnU4G7v4G7AWFWZyG:UfB0AdDrcN7+JA7YG

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1776-56-0x0000000000400000-0x0000000000456000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1324 1776 WerFault.exe 86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe

pid	pid_target	process	target process
1324	1776	WerFault.exe	86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe

description	pid	process	target process
PID 1776 wrote to memory of 1324	1776	86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe	WerFault.exe
PID 1776 wrote to memory of 1324	1776	86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe	WerFault.exe
PID 1776 wrote to memory of 1324	1776	86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe	WerFault.exe
PID 1776 wrote to memory of 1324	1776	86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe
"C:\Users\Admin\AppData\Local\Temp\86c7ab0174e1925b29233d23ab6ab66a805e7d7c01481cd857a4d1f7e9b8881c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 164
2⤵
- Program crash
PID:1324

memory/1324-55-0x0000000000000000-mapping.dmp

Download
memory/1776-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1776-56-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download