gh0strat | d6c3da0b1314783b83708726572c8b7097bae1f089e71159df02f1db4b85763d

Analysis

max time kernel
140s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 06:17

Target

d6c3da0b1314783b83708726572c8b7097bae1f089e71159df02f1db4b85763d.dll
Size

899KB
MD5

099f30ffef34f275172e7cb841797b51
SHA1

4e696ae3529fede0bb3e076903c31d37f3dd4e4f
SHA256

d6c3da0b1314783b83708726572c8b7097bae1f089e71159df02f1db4b85763d
SHA512

a6fd1cfb135e833753cf30b480c660c7d1b9de3345a942f4f1829174e56eff0100319579e7b0bfc20948cad9b63efa1b722488090570708388db48ea5e0a936b
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXG:7wqd87VG

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1924-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1924	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 1924	4576	rundll32.exe	85
PID 4576 wrote to memory of 1924	4576	rundll32.exe	85
PID 4576 wrote to memory of 1924	4576	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6c3da0b1314783b83708726572c8b7097bae1f089e71159df02f1db4b85763d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6c3da0b1314783b83708726572c8b7097bae1f089e71159df02f1db4b85763d.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1924

memory/1924-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download