gh0strat | 3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b

Analysis

max time kernel
118s
max time network
131s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22/09/2023, 17:47

Target

3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe
Size

134KB
MD5

9600202e9919aa76d669a8a5115dfeb8
SHA1

9bd82a367d94ccf349338f4ae4a266ff600785f0
SHA256

3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b
SHA512

17905a5ade7a056287a56086411faac570f20721ef56e0d56dafbbba2f478e3e49d1b4e6228d3d62231e7c8f7a58ffa1591b36d67439de2b3430bf4354eed93f
SSDEEP

3072:bUD9JxpzoSIP9tKXYPgqtA8+FnH07e9R23RnvU:bUD9JxpzozP6vq+80nU7zR

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2604-6-0x0000000010000000-0x0000000010029000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
2604	RUNDLL32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2604	2152	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	28
PID 2152 wrote to memory of 2604	2152	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	28
PID 2152 wrote to memory of 2604	2152	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	28
PID 2152 wrote to memory of 2604	2152	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	28
PID 2152 wrote to memory of 2604	2152	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	28
PID 2152 wrote to memory of 2604	2152	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	28
PID 2152 wrote to memory of 2604	2152	3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe	28

C:\Users\Admin\AppData\Local\Temp\3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe
"C:\Users\Admin\AppData\Local\Temp\3618b9794c150076cb82dfa0b95e9caffcb45be8adefc1a8f30014e9e018da4b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\RUNDLL32.exe
  RUNDLL32 "C:\Windows\Temp\yydsamingfack.fff" main
  2⤵
  - Loads dropped DLL
  PID:2604

C:\Windows\Temp\yydsamingfack.fff

Filesize
80KB

MD5
cf6eb41c42d173427b7305b21ba4e655

SHA1
1ad2586df0b1a5d0d3c1cf7b0a463236e4ea8e1d

SHA256
1d297ec4b48c513a2632d8395c3df476a914c1e2732e8b830731493481ba0054

SHA512
2d7b2b64c056855202ab52ca3bb7301787659cd3131b7793c7c02a246d257e01dfdc15573bc3732b383778ad01ab65cfaeb05b9a8e7bc547dd7c8de7529a71ab

Download Submit
\Windows\Temp\yydsamingfack.fff

Filesize
80KB

MD5
cf6eb41c42d173427b7305b21ba4e655

SHA1
1ad2586df0b1a5d0d3c1cf7b0a463236e4ea8e1d

SHA256
1d297ec4b48c513a2632d8395c3df476a914c1e2732e8b830731493481ba0054

SHA512
2d7b2b64c056855202ab52ca3bb7301787659cd3131b7793c7c02a246d257e01dfdc15573bc3732b383778ad01ab65cfaeb05b9a8e7bc547dd7c8de7529a71ab

Download Submit
memory/2152-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2152-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2604-5-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download
memory/2604-6-0x0000000010000000-0x0000000010029000-memory.dmp

Filesize
164KB

Download