gh0strat | eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a

Analysis

max time kernel
145s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 22:15

Target

eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a.dll
Size

899KB
MD5

a7466233b27cedc3c79f5d9334ea5b79
SHA1

d4661555e2b5d1e071b642160dbd7cfb5aa424e2
SHA256

eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a
SHA512

fbecaedc3a5253a2520a234f9c92d4482eee6cb9ad970156cbe0260a6f0304f8d49920403c687e9ccdf2e159a1a921d2cff2deaca829b5a92c6c1424f0816e92
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXW:7wqd87VW

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3572-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3572	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3572	1312	rundll32.exe	83
PID 1312 wrote to memory of 3572	1312	rundll32.exe	83
PID 1312 wrote to memory of 3572	1312	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\eceaf15b93f9af9793b27f61b91b500a6b9139c1747a9ef478c5d75f0822780a.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3572

memory/3572-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download