gh0strat | 7cfdb3ca0a9be7a527a168d11637386293426de41715efb1c59b77ce9cf12535

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 18:34

Target

7cfdb3ca0a9be7a527a168d11637386293426de41715efb1c59b77ce9cf12535.dll
Size

50KB
MD5

2cef31800ebcf0b11829a368ee82126b
SHA1

6741d285397c87a2aba351e420b6546eb20842cf
SHA256

7cfdb3ca0a9be7a527a168d11637386293426de41715efb1c59b77ce9cf12535
SHA512

fa9f8b79690222b7ace058ddc534b948c64a1296964f5b2dded0f381a9bcffd9092923aa38c56a6c9677fb533ccb5335a63bff3521c4c59af701ddca3dcf9c68
SSDEEP

1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5iJYH:W5ReWjTrW9rNPgYoUJYH

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2268-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2268	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2268	3056	rundll32.exe	28
PID 3056 wrote to memory of 2268	3056	rundll32.exe	28
PID 3056 wrote to memory of 2268	3056	rundll32.exe	28
PID 3056 wrote to memory of 2268	3056	rundll32.exe	28
PID 3056 wrote to memory of 2268	3056	rundll32.exe	28
PID 3056 wrote to memory of 2268	3056	rundll32.exe	28
PID 3056 wrote to memory of 2268	3056	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7cfdb3ca0a9be7a527a168d11637386293426de41715efb1c59b77ce9cf12535.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7cfdb3ca0a9be7a527a168d11637386293426de41715efb1c59b77ce9cf12535.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2268

memory/2268-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download