gh0strat | e8de674cbe9d1c6464e578c780245bc94557ef62dac6848ea6d137f2186da41a

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 19:21

Target

e8de674cbe9d1c6464e578c780245bc94557ef62dac6848ea6d137f2186da41a.dll
Size

899KB
MD5

f362967126d60ee2e5329f7b1e1d4f73
SHA1

b84d3f998a204ba1b80b82bbe371776645338745
SHA256

e8de674cbe9d1c6464e578c780245bc94557ef62dac6848ea6d137f2186da41a
SHA512

d5ebfc11c40c49e4e9ddb19166ec7568b343d2a7573952d7efa7ebe9c9a3776a7f675a29efcae4c37cd41b2604cd306d4b87d1d7b3caeb0c928758d4f81f3cb7
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX7:7wqd87V7

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

2032 rundll32.exe

pid	process
2032	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1648 wrote to memory of 2032	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2032	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2032	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2032	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2032	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2032	1648	rundll32.exe	rundll32.exe
PID 1648 wrote to memory of 2032	1648	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e8de674cbe9d1c6464e578c780245bc94557ef62dac6848ea6d137f2186da41a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e8de674cbe9d1c6464e578c780245bc94557ef62dac6848ea6d137f2186da41a.dll,#1
2⤵
- Suspicious behavior: RenamesItself
PID:2032

memory/2032-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download