gh0strat | 5cbd35bcaf678d7f516b2429ed7ce6221f7fbacce57b812780a7dd3f9bb32e2e

Analysis

max time kernel
161s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 01:07

Target

ca18f519db12bb3291d96f9acdb9cb3d.dll
Size

153KB
MD5

ca18f519db12bb3291d96f9acdb9cb3d
SHA1

be38cd7494591911cd757c014dd60db2f63cad99
SHA256

5cbd35bcaf678d7f516b2429ed7ce6221f7fbacce57b812780a7dd3f9bb32e2e
SHA512

55b93afc201af28a5f64b4cc6d6b63187dca323925cb362d8b69c29b4c59419db2589dbdfb5f39ef3fe9d93094d5c74933d7d42e6d7a31bd740eb4e7efbed2aa
SSDEEP

3072:aKXaEtJmw3fe/YEMFVFAJZv0v2opFTBftxvkKJemUQxUa7:9htjewEMf9v2opFTBlxvkZxa7

Score

10^/10

gh0strat rat

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/1312-0-0x0000000010000000-0x0000000010028000-memory.dmp	family_gh0strat
behavioral2/memory/1312-2-0x0000000010000000-0x0000000010028000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rundll32.exe.txt	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4412	1312	WerFault.exe	96
1008	1312	WerFault.exe	96

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1312	1596	rundll32.exe	96
PID 1596 wrote to memory of 1312	1596	rundll32.exe	96
PID 1596 wrote to memory of 1312	1596	rundll32.exe	96
PID 1312 wrote to memory of 4412	1312	rundll32.exe	104
PID 1312 wrote to memory of 4412	1312	rundll32.exe	104
PID 1312 wrote to memory of 4412	1312	rundll32.exe	104

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca18f519db12bb3291d96f9acdb9cb3d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca18f519db12bb3291d96f9acdb9cb3d.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 616
    3⤵
    - Program crash
    PID:4412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 616
    3⤵
    - Program crash
    PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1312 -ip 1312
1⤵
PID:4128

memory/1312-0-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/1312-2-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download