gh0strat | 44c220651856acc5554db7067e2cc4205a947044142604f6482952e802cf36b5

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 20:14

Target

44c220651856acc5554db7067e2cc4205a947044142604f6482952e802cf36b5.dll
Size

141KB
MD5

20106927ddeb4caa29d0c4879bc82f3d
SHA1

5bbb91b7c923a3b81ab7baa3122ae1f76a9899f8
SHA256

44c220651856acc5554db7067e2cc4205a947044142604f6482952e802cf36b5
SHA512

11f8b8b0a50026017e21d76c171b44a8f661af63676b95b6ac88a97f06801e97e7f5ebf0b22a5bfa34ca82e2ff8f051ffc6f6dbd141cc6e5656e0250b0cf5c82
SSDEEP

3072:nUDBHy4BBy6eFJrmmIewRxMzJSQ6rVf0SAeq:n0yB6oJrcRMQxrVf3

Score

10^/10

gh0strat rat

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2772-2-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral1/memory/2772-3-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral1/memory/2772-5-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral1/memory/2772-7-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral1/memory/2772-9-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral1/memory/2772-10-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	211.57.200.17

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 2772	2008	rundll32.exe	28

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28
PID 2008 wrote to memory of 2772	2008	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44c220651856acc5554db7067e2cc4205a947044142604f6482952e802cf36b5.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:2772

memory/2772-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2772-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2772-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2772-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2772-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2772-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2772-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2772-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2772-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download