gh0strat | 8ef2ac633b5288161b178939649bd15cd4662e5a2cba180beb2209857cbe90ed

Analysis

max time kernel
151s
max time network
95s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 01:43

Target

8ef2ac633b5288161b178939649bd15cd4662e5a2cba180beb2209857cbe90ed.dll
Size

117KB
MD5

c6e5162d5eedff9c165d40f76b762a10
SHA1

17456823b6ece44f0d641f68a2282f3f4069494c
SHA256

8ef2ac633b5288161b178939649bd15cd4662e5a2cba180beb2209857cbe90ed
SHA512

97870ba8dd843daa101fe4ade9a1e44431854ca01418dbdbbcc7c7d6c929ea7a3d5c5e05e5d248a4b18e776313cc00659b0bef8de6a3b804d245ad6e1c4b28d4
SSDEEP

3072:OT6QTlxjLXCKDcMERjtJXVtEhKwtD90cUyU:O3HyvjTXLiKwtD9tU7

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000f000000012326-56.dat	family_gh0strat
behavioral1/files/0x000f000000012326-57.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
1672	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ceoi\Pgimikcmo.jpg	rundll32.exe
File created	C:\Program Files (x86)\Ceoi\Pgimikcmo.jpg	rundll32.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1628	1716	rundll32.exe	28
PID 1716 wrote to memory of 1628	1716	rundll32.exe	28
PID 1716 wrote to memory of 1628	1716	rundll32.exe	28
PID 1716 wrote to memory of 1628	1716	rundll32.exe	28
PID 1716 wrote to memory of 1628	1716	rundll32.exe	28
PID 1716 wrote to memory of 1628	1716	rundll32.exe	28
PID 1716 wrote to memory of 1628	1716	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ef2ac633b5288161b178939649bd15cd4662e5a2cba180beb2209857cbe90ed.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ef2ac633b5288161b178939649bd15cd4662e5a2cba180beb2209857cbe90ed.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1628

\??\c:\program files (x86)\ceoi\pgimikcmo.jpg

Filesize
10.2MB

MD5
ec7c012bd48e820aa510e6bdf42194ec

SHA1
265f2df3cc0472375fe39f9034d7b972d668f8dd

SHA256
9fbebaa40d1cad20d895d240c8bfb675627b9c34691936420a8b5f53281ab83e

SHA512
9bed7e786effff75bfe1be4e274e38c38066a15004274ba2a38978cd24d61cea3da4d6cd39741eba897c5029edd48571e63d7560cae004ca77586bbf8d67ec83

Download Submit
\Program Files (x86)\Ceoi\Pgimikcmo.jpg

Filesize
10.2MB

MD5
ec7c012bd48e820aa510e6bdf42194ec

SHA1
265f2df3cc0472375fe39f9034d7b972d668f8dd

SHA256
9fbebaa40d1cad20d895d240c8bfb675627b9c34691936420a8b5f53281ab83e

SHA512
9bed7e786effff75bfe1be4e274e38c38066a15004274ba2a38978cd24d61cea3da4d6cd39741eba897c5029edd48571e63d7560cae004ca77586bbf8d67ec83

Download Submit
memory/1628-54-0x0000000000000000-mapping.dmp

Download
memory/1628-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download