gh0strat | 196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 18:21

Target

196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98.dll
Size

50KB
MD5

9a37b502e15360b97ad6334fea67dfba
SHA1

55ce73bac6481387827e67fbe3741edd81d98087
SHA256

196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98
SHA512

b8a71f05fd926ff845719c9337e99148ee9f17913eb61a137329a79963dd41b2cd9539e620c0b296ef508b7aefd8227aec7289f993d8b5622371cf267e1b6752
SSDEEP

1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5vJYH:W5ReWjTrW9rNPgYoNJYH

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2864-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

2864 rundll32.exe

pid	process
2864	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2168 wrote to memory of 2864	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2864	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2864	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2864	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2864	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2864	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2864	2168	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\196d1f73b583358470d803f45ceed961e105aa10119707750a8004a9635fde98.dll,#1
2⤵
- Suspicious behavior: RenamesItself
PID:2864

memory/2864-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download