gh0strat | 4f70cf490d98ed6a6d60c1cc1f1a192a5ace13f86f6d0d148d4f31455c424ee2

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 19:43

Target

a7ae47315be47fc7c1341ce1d06bb5e1.dll
Size

98KB
MD5

a7ae47315be47fc7c1341ce1d06bb5e1
SHA1

d0652d1977a23f7b5b81481cecc2a763b082112c
SHA256

4f70cf490d98ed6a6d60c1cc1f1a192a5ace13f86f6d0d148d4f31455c424ee2
SHA512

cc6f01592faa0b3d5b708feb1751c3c1141613cad1de7a78858402388a381ad3dc79d3025e44470a600491890bcb21c760c910904cf8f635720d24ecb0e7e5ac
SSDEEP

1536:3TzxmTwqh0WDRi5bPYyWWZRQ6gouqcedXf/Ea9z6a//rBK:3TzxLqh+lPmPouqJdP/EaN6a//rBK

Score

10^/10

gh0strat rat

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2720-0-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat
behavioral1/memory/2720-2-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat
behavioral1/memory/2720-1-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat
behavioral1/memory/2720-3-0x0000000010000000-0x000000001001B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2720	2448	rundll32.exe	28
PID 2448 wrote to memory of 2720	2448	rundll32.exe	28
PID 2448 wrote to memory of 2720	2448	rundll32.exe	28
PID 2448 wrote to memory of 2720	2448	rundll32.exe	28
PID 2448 wrote to memory of 2720	2448	rundll32.exe	28
PID 2448 wrote to memory of 2720	2448	rundll32.exe	28
PID 2448 wrote to memory of 2720	2448	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ae47315be47fc7c1341ce1d06bb5e1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ae47315be47fc7c1341ce1d06bb5e1.dll,#1
  2⤵
  PID:2720

memory/2720-0-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2720-2-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2720-1-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2720-3-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download