gh0strat | 7f40c027e20fc18683d237028acf8bc70a2772ba24051b7aad51088e677588a4

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 22:33

Target

b5d366e5d4822cde80c8c3ea623d20b2.dll
Size

119KB
MD5

b5d366e5d4822cde80c8c3ea623d20b2
SHA1

a94d7745f87cd53ef66a053ec7eb1f9534d29bb9
SHA256

7f40c027e20fc18683d237028acf8bc70a2772ba24051b7aad51088e677588a4
SHA512

15c512dc8de20b29f26ecc9074c189825db0daee3b92e75e809b1be646d9b480ff01c06602593ef559cf31cb0863e207cd4010c53e80c813b133f33c802294c1
SSDEEP

3072:1lqfM4TYZesGO4Qg/0ilm37GBYfiA+SIML+HsZwUN:1lqfTY4Yjg/0VqY6hMLruk

Score

10^/10

gh0strat rat

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/1772-1-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/memory/1772-2-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat
behavioral1/memory/1772-3-0x0000000010000000-0x0000000010021000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1772	2980	rundll32.exe	28
PID 2980 wrote to memory of 1772	2980	rundll32.exe	28
PID 2980 wrote to memory of 1772	2980	rundll32.exe	28
PID 2980 wrote to memory of 1772	2980	rundll32.exe	28
PID 2980 wrote to memory of 1772	2980	rundll32.exe	28
PID 2980 wrote to memory of 1772	2980	rundll32.exe	28
PID 2980 wrote to memory of 1772	2980	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5d366e5d4822cde80c8c3ea623d20b2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5d366e5d4822cde80c8c3ea623d20b2.dll,#1
  2⤵
  PID:1772

memory/1772-0-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1772-1-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1772-2-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1772-3-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download