gh0strat | 6e1de8d920d78be42e3055b1e70a063e443f6b9fa8bb280eec8f170e74fd494e

Analysis

max time kernel
74s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 20:07

Target

360rsp.exe
Size

562KB
MD5

fe7279ede3a7dcb7184105e6ebad8462
SHA1

7bb5420426828b1fb5c39655dd2970a5eefbd47e
SHA256

6c36e20b91ea36d03c7ac4cbddce7d045470757f21da2e340abb6510c4ba6b87
SHA512

1853792e5f40e92e36094b02d1a05e767c20923b19f0b85ced2f70e23c695b8d3273fa150004e659f9c721919110b82d3e19331d8f309e482ea3f927277d4109
SSDEEP

12288:3opCiRmtWBygSpspt7t0Ms9tmc5xW0UG24ip0hfHvpeWVRQWocoooooYoooooooh:l7q22h0MstmWxZUG24ip+vpeWVRnocoV

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1904-1-0x0000000010000000-0x0000000010020000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1904	360rsp.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1904-0-0x0000000073DA0000-0x0000000073DB2000-memory.dmp

Filesize
72KB

Download
memory/1904-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1904-9-0x0000000073DA0000-0x0000000073DB2000-memory.dmp

Filesize
72KB

Download