gh0strat | 1edb6e6ab05becf3de4824fac70034b72d7a93a1900469c27f3f857dc2b871de

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 19:11

Target

4efb979016bd4e020dc7ef2fc42f61e6.dll
Size

69KB
MD5

4efb979016bd4e020dc7ef2fc42f61e6
SHA1

d39358c26bb5dbf62b56860fd10761ba4bed18c4
SHA256

1edb6e6ab05becf3de4824fac70034b72d7a93a1900469c27f3f857dc2b871de
SHA512

d50b003c7e6ccfa0cfa49e7a2b34e5dbdefca1a1c7fdf01829bb12a45c579b546bd02ec7ba0177e1bf2de15d78e455b038367a674bc379aadfb6b26a1ab7566d
SSDEEP

1536:z9GyrJcd/yfc9SmOtFqxj7/0Ms03U8jBys/179b:zIyrJi/Ec9SrF2f0103U8jByW179

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224a-3.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 1 IoCs

pid	Process
2944	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\main.jpg	rundll32.exe
File created	C:\Windows\SysWOW64\main.jpg	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 8 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3056	3020	rundll32.exe	28
PID 3020 wrote to memory of 3056	3020	rundll32.exe	28
PID 3020 wrote to memory of 3056	3020	rundll32.exe	28
PID 3020 wrote to memory of 3056	3020	rundll32.exe	28
PID 3020 wrote to memory of 3056	3020	rundll32.exe	28
PID 3020 wrote to memory of 3056	3020	rundll32.exe	28
PID 3020 wrote to memory of 3056	3020	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4efb979016bd4e020dc7ef2fc42f61e6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4efb979016bd4e020dc7ef2fc42f61e6.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3056

\??\c:\windows\SysWOW64\main.jpg

Filesize
312KB

MD5
d33128caae25dfc49a4dab47d248cf6c

SHA1
b60715afc701ea0929c3161c623c87a45ffc6fb7

SHA256
21558ea411dd6df87b044232307d3ab4d305bad7c0b2f2287d285483becf5984

SHA512
8ae2bed5c7ec30ff07c4f2bcf7d83c95978fdf8c50b5a05fe2c7ca9d5c6c41a69a55ed94737ba05258257486a532180bf4b155ac2e273c66c24616a899effc3c

Download Submit