gh0strat | 44c220651856acc5554db7067e2cc4205a947044142604f6482952e802cf36b5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 20:14

Target

44c220651856acc5554db7067e2cc4205a947044142604f6482952e802cf36b5.dll
Size

141KB
MD5

20106927ddeb4caa29d0c4879bc82f3d
SHA1

5bbb91b7c923a3b81ab7baa3122ae1f76a9899f8
SHA256

44c220651856acc5554db7067e2cc4205a947044142604f6482952e802cf36b5
SHA512

11f8b8b0a50026017e21d76c171b44a8f661af63676b95b6ac88a97f06801e97e7f5ebf0b22a5bfa34ca82e2ff8f051ffc6f6dbd141cc6e5656e0250b0cf5c82
SSDEEP

3072:nUDBHy4BBy6eFJrmmIewRxMzJSQ6rVf0SAeq:n0yB6oJrcRMQxrVf3

Score

10^/10

gh0strat rat

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4148-0-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral2/memory/4148-2-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral2/memory/4148-3-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral2/memory/4148-4-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	211.57.200.17

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 4148	1668	rundll32.exe	85
PID 1668 set thread context of 4868	1668	rundll32.exe	95

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 4148	1668	rundll32.exe	85
PID 1668 wrote to memory of 4148	1668	rundll32.exe	85
PID 1668 wrote to memory of 4148	1668	rundll32.exe	85
PID 1668 wrote to memory of 4148	1668	rundll32.exe	85
PID 1668 wrote to memory of 4148	1668	rundll32.exe	85
PID 1668 wrote to memory of 4148	1668	rundll32.exe	85
PID 1668 wrote to memory of 4148	1668	rundll32.exe	85
PID 1668 wrote to memory of 4148	1668	rundll32.exe	85
PID 1668 wrote to memory of 4868	1668	rundll32.exe	95
PID 1668 wrote to memory of 4868	1668	rundll32.exe	95
PID 1668 wrote to memory of 4868	1668	rundll32.exe	95
PID 1668 wrote to memory of 4868	1668	rundll32.exe	95
PID 1668 wrote to memory of 4868	1668	rundll32.exe	95
PID 1668 wrote to memory of 4868	1668	rundll32.exe	95
PID 1668 wrote to memory of 4868	1668	rundll32.exe	95
PID 1668 wrote to memory of 4868	1668	rundll32.exe	95

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44c220651856acc5554db7067e2cc4205a947044142604f6482952e802cf36b5.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:4148
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:4868

memory/4148-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4148-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4148-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4148-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download