gh0strat | 1107fb0320dea889cfeeb04400e2bf858abf27a920b0f02b4798f00648bffee1

Analysis

max time kernel
128s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2023 19:10

Target

805395f164928eexeexeexeex.exe
Size

322KB
MD5

805395f164928eabebbce0025c5f2759
SHA1

11eea6d9164caa3d1cff4f61e0c0cd624175d95a
SHA256

1107fb0320dea889cfeeb04400e2bf858abf27a920b0f02b4798f00648bffee1
SHA512

781b9007168600b8be04a42ff2e2d7024ee6779cd74e258fa677ac76e7df0fa11d8978780902baa44ebe8f115f762405f2ea36405d6b6389c1e79382395df8a9
SSDEEP

6144:9KfmqBKJE1dnW8TZZOlYaRiHIqmq8gYQnO0FVNEUHLc78gw:mCEnnj3Jrmq8gYQO6uUHLG8

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/5072-133-0x0000000010000000-0x000000001000B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
1564	ASD.com
4940	ASD.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Crrange\ASD.com	805395f164928eexeexeexeex.exe
File opened for modification	C:\Program Files (x86)\Crrange\ASD.com	805395f164928eexeexeexeex.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5072	805395f164928eexeexeexeex.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 4940	1564	ASD.com	84
PID 1564 wrote to memory of 4940	1564	ASD.com	84
PID 1564 wrote to memory of 4940	1564	ASD.com	84

C:\Program Files (x86)\Crrange\ASD.com

Filesize
322KB

MD5
805395f164928eabebbce0025c5f2759

SHA1
11eea6d9164caa3d1cff4f61e0c0cd624175d95a

SHA256
1107fb0320dea889cfeeb04400e2bf858abf27a920b0f02b4798f00648bffee1

SHA512
781b9007168600b8be04a42ff2e2d7024ee6779cd74e258fa677ac76e7df0fa11d8978780902baa44ebe8f115f762405f2ea36405d6b6389c1e79382395df8a9

Download Submit
C:\Program Files (x86)\Crrange\ASD.com

Filesize
322KB

MD5
805395f164928eabebbce0025c5f2759

SHA1
11eea6d9164caa3d1cff4f61e0c0cd624175d95a

SHA256
1107fb0320dea889cfeeb04400e2bf858abf27a920b0f02b4798f00648bffee1

SHA512
781b9007168600b8be04a42ff2e2d7024ee6779cd74e258fa677ac76e7df0fa11d8978780902baa44ebe8f115f762405f2ea36405d6b6389c1e79382395df8a9

Download Submit
C:\Program Files (x86)\Crrange\ASD.com

Filesize
322KB

MD5
805395f164928eabebbce0025c5f2759

SHA1
11eea6d9164caa3d1cff4f61e0c0cd624175d95a

SHA256
1107fb0320dea889cfeeb04400e2bf858abf27a920b0f02b4798f00648bffee1

SHA512
781b9007168600b8be04a42ff2e2d7024ee6779cd74e258fa677ac76e7df0fa11d8978780902baa44ebe8f115f762405f2ea36405d6b6389c1e79382395df8a9

Download Submit
memory/5072-133-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download