gh0strat | bf247f9ea41e1eda3ad9a71177e263ee30b287665bd2d535b563eba3b51977e7

Analysis

max time kernel
145s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 02:19

Target

bf247f9ea41e1eda3ad9a71177e263ee30b287665bd2d535b563eba3b51977e7.dll
Size

51KB
MD5

cc6631d865e645b5096518e3ad1f3827
SHA1

4a44d160d856ef18bf4dc9cc922c71a238aa3f38
SHA256

bf247f9ea41e1eda3ad9a71177e263ee30b287665bd2d535b563eba3b51977e7
SHA512

aa10da0f982125bb337e5118b2f908774b8b1889e4d735ca8fb06875de0d83f006fbd4e37def3b0d1e8f3e46ed92a2bf1d1ed00d94e360941a68093eb8b056ca
SSDEEP

1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLWJYH5:1dWubF3n9S91BF3fboaJYH5

Score

10^/10

gh0strat rat

Family

gh0strat

kinh.xmcxmr.com

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4356-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4356	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4356	4696	rundll32.exe	82
PID 4696 wrote to memory of 4356	4696	rundll32.exe	82
PID 4696 wrote to memory of 4356	4696	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf247f9ea41e1eda3ad9a71177e263ee30b287665bd2d535b563eba3b51977e7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf247f9ea41e1eda3ad9a71177e263ee30b287665bd2d535b563eba3b51977e7.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:4356

memory/4356-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download