gh0strat | 7be23d158b89ff65e50a299921f558f7a37d6e1be6ff802281383a0b931d0799 | Triage

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 06:22

Sharing

Report Analysis Logs

General

Target

bde3e413b4919fde1b0504d88fe7dcd4.dll
Size

106KB
MD5

bde3e413b4919fde1b0504d88fe7dcd4
SHA1

4d07fb3f8f545c90a91f6be622e9d3a032551a8f
SHA256

7be23d158b89ff65e50a299921f558f7a37d6e1be6ff802281383a0b931d0799
SHA512

c5b616a98c9a4fb253a57c28ac001f5145c8b95c10843d3dc6670b63ec5fc5c6cb7d9680938f982ad3d5eb64a54159b77da7fdf1320332ef8a391b9d2dba5662
SSDEEP

768:i4kmcL9TAxP7dbOLWKUqcNZk6iPY8cawcXdD:i4k/9TydaLW1qctaldD

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2000-0-0x0000000010000000-0x000000001001D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Program crash 1 IoCs

pid	pid_target	Process	procid_target
888	2000	WerFault.exe	88

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2000	2220	rundll32.exe	88
PID 2220 wrote to memory of 2000	2220	rundll32.exe	88
PID 2220 wrote to memory of 2000	2220	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bde3e413b4919fde1b0504d88fe7dcd4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bde3e413b4919fde1b0504d88fe7dcd4.dll,#1
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 544
    3⤵
    - Program crash
    PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2000 -ip 2000
1⤵
PID:4860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-0-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download