Overview

overview

10

Static

static

10

4b8feda8a7...6c.dll

windows7-x64

10

4b8feda8a7...6c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b8feda8a7776e55a834d66dfcb08a76e03b7111a9907afa6bcd53f606426b6c.dll

  • Size

    51KB

  • MD5

    38d421472a3758a37361f381b43a6a41

  • SHA1

    13a64694856c8518214e15ce283dfec3c55c0d83

  • SHA256

    4b8feda8a7776e55a834d66dfcb08a76e03b7111a9907afa6bcd53f606426b6c

  • SHA512

    f614acb5d896616ca16820bebf0a741555cf27cba57980e321165209b677e21ff0afc5b6a76a9493bb9f611f1a9c86899c4fde26c6ab1f9e0455870811649522

  • SSDEEP

    1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLsJYH5:1dWubF3n9S91BF3fboYJYH5

Score
10/10
gh0stratrat

Malware Config

Extracted

Family

gh0strat

C2

kinh.xmcxmr.com

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b8feda8a7776e55a834d66dfcb08a76e03b7111a9907afa6bcd53f606426b6c.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b8feda8a7776e55a834d66dfcb08a76e03b7111a9907afa6bcd53f606426b6c.dll,#1
      2⤵
      • Suspicious behavior: RenamesItself
      PID:1472
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
    1⤵
      PID:5036

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1472-0-0x0000000010000000-0x0000000010011000-memory.dmp

      Filesize

      68KB

      Download