gh0strat | ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1

Analysis

max time kernel
151s
max time network
100s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 17:33

Target

ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll
Size

105KB
MD5

f130b2a825263b2766f3c5108270ab0d
SHA1

3de865d14cebf181e3ab9cda3c8929dc7e447454
SHA256

ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1
SHA512

deb0a8e0e44008c9f194140114bdd5ce4f009d1188c623a7b4cc4ae9caf33db05b0da8043addb54bd3803f9712b1d020fa64cfae7b2383e894625b4cf6e13782
SSDEEP

3072:BvBKS+26Y8zoz4EfZRzUKR/F4pEIbybZuwu1Uq:N8tA1fYmFEX2ZuwuC

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
\??\c:\windows\filename.jpg	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\FileName.jpg rundll32.exe
File opened for modification C:\Windows\FileName.jpg rundll32.exe

description	ioc	process
File created	C:\Windows\FileName.jpg	rundll32.exe
File opened for modification	C:\Windows\FileName.jpg	rundll32.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1788 wrote to memory of 2040	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 2040	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 2040	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 2040	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 2040	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 2040	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 2040	1788	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71716ca5e7b8aeba987591ea74a011afc97b2ea188014225b8a6a8ef1ecaa1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

\??\c:\windows\filename.jpg
Filesize
8.6MB

MD5
6f85f055fdaf65ffd999a4c2312f692b

SHA1
ad5284daeea50ff5b3d9bb57f07f9d8d9940fc51

SHA256
a12c2ef8b4502d0e3de44d16364eac703d06cbd08d00a1611322a89f0e7421ba

SHA512
756b75e5f40cfaf7fe06f50565e00c4f951ebee075bb024bafeeaeccffecb2d13e91d49673d5bbc9849ff88b42e2a05511ee6cb3c319fde65a05871a0a0ca24c

Download Submit
memory/2040-54-0x0000000000000000-mapping.dmp

Download
memory/2040-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download