gh0strat | d29d6b3847a729586181cdb308632b22344b0f8c8f5f072176d35123c007d21b

Analysis

max time kernel
185s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 16:37

Target

d29d6b3847a729586181cdb308632b22344b0f8c8f5f072176d35123c007d21b.dll
Size

124KB
MD5

6ec5904b65aa5bdbce134c3240af1f17
SHA1

34c31fea1b07edfb942403336512fad9675b1b5e
SHA256

d29d6b3847a729586181cdb308632b22344b0f8c8f5f072176d35123c007d21b
SHA512

e13d8442120df176f15f5053ea29cc3c673c5b0b5ae6de06700052b9c20219abe6025dca91a78f18c6624954fa0c62c1d816f889ad5c154eaa04dbbdc3ad87cd
SSDEEP

1536:/iUvb3bgF8efng8G8S+/NTsFKXtBuPuKNT8qlabOQ7WtGwQJx8KHwF4eqq:/zcF8efg8JNjziu+6bOWaJOQ

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/1272-133-0x0000000000D20000-0x0000000000D40000-memory.dmp	family_gh0strat
behavioral2/memory/1272-135-0x0000000000D20000-0x0000000000D40000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1316	sc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1272	2680	rundll32.exe	80
PID 2680 wrote to memory of 1272	2680	rundll32.exe	80
PID 2680 wrote to memory of 1272	2680	rundll32.exe	80
PID 1272 wrote to memory of 1316	1272	rundll32.exe	81
PID 1272 wrote to memory of 1316	1272	rundll32.exe	81
PID 1272 wrote to memory of 1316	1272	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d29d6b3847a729586181cdb308632b22344b0f8c8f5f072176d35123c007d21b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d29d6b3847a729586181cdb308632b22344b0f8c8f5f072176d35123c007d21b.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\sc.exe
    sc config w32time start= auto
    3⤵
    - Launches sc.exe
    PID:1316

memory/1272-133-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download
memory/1272-135-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download