gh0strat | 76cdb0a25ade2af077c9f45fd013f7ddcfa00b10fa48e638a52db29300bf8aba

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 22:27

Target

76cdb0a25ade2af077c9f45fd013f7ddcfa00b10fa48e638a52db29300bf8aba.dll
Size

899KB
MD5

41ec1841464dd7393f16950ac39b9d27
SHA1

8bc6719f504cf99becd8e09a8fa5f2fa8dd56241
SHA256

76cdb0a25ade2af077c9f45fd013f7ddcfa00b10fa48e638a52db29300bf8aba
SHA512

cbc7b9e53c42d8013d578eba1e2fb509e57d6f10d45e129280a95483db66682ea34ad5a07833090186493f7043635d9f5b56a9d3410707f7967abae5b3360c99
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXv:7wqd87Vv

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/3048-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3048	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3048	2136	rundll32.exe	28
PID 2136 wrote to memory of 3048	2136	rundll32.exe	28
PID 2136 wrote to memory of 3048	2136	rundll32.exe	28
PID 2136 wrote to memory of 3048	2136	rundll32.exe	28
PID 2136 wrote to memory of 3048	2136	rundll32.exe	28
PID 2136 wrote to memory of 3048	2136	rundll32.exe	28
PID 2136 wrote to memory of 3048	2136	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\76cdb0a25ade2af077c9f45fd013f7ddcfa00b10fa48e638a52db29300bf8aba.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\76cdb0a25ade2af077c9f45fd013f7ddcfa00b10fa48e638a52db29300bf8aba.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3048

memory/3048-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download