gh0strat | 4ee20558b9da83776f563619de8002838d49b21412f40ff74391292c411a83a9

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 14:34

Target

CERTIFICATE.dll
Size

101KB
MD5

fcfa69cbc689304e055d5705ed7692a1
SHA1

983815092026b81b125e85e02c6e019ef6349ecc
SHA256

4ee20558b9da83776f563619de8002838d49b21412f40ff74391292c411a83a9
SHA512

51c0b2eb5bc1da32b3aa0b310df6d4f08e6a3e8b3f195ead6a9dc3011042a0c92f05c5163e99084488228ed05ca4f62f51b658f591269a42682be1c6ad6af33e
SSDEEP

3072:rwZ2QNI3VGVilUVjz764/9xjEEUQqbZuwI5RG:VVGg2x9tjUpZuwIrG

Score

10^/10

gh0strat rat

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
\??\c:\windows\filename.jpg	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4416 svchost.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\FileName.jpg rundll32.exe
File opened for modification C:\Windows\FileName.jpg rundll32.exe

description	ioc	process
File created	C:\Windows\FileName.jpg	rundll32.exe
File opened for modification	C:\Windows\FileName.jpg	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4844 wrote to memory of 4344	4844	rundll32.exe	rundll32.exe
PID 4844 wrote to memory of 4344	4844	rundll32.exe	rundll32.exe
PID 4844 wrote to memory of 4344	4844	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\CERTIFICATE.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4272

\??\c:\windows\filename.jpg
Filesize
12.1MB

MD5
83026bada5b70aa02a7b4ed10b6c85b3

SHA1
b1cdd546d196d7d9fe4bb86e54d902888abdac47

SHA256
e27b37255a201f7249a66ce71502456603dbb8e9d2252ea19e2169b8290b6f0a

SHA512
679bcb94d33cf5fa3c8d739cc5b481b94e8ebfda7b624d483bdd176d1e14637edaae005fe5b45f77320ae5da3309a9beaf70ccd9eb97408731999eb8f4cd80e3

Download Submit