gh0strat | f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22

Analysis

max time kernel
146s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 05:05

Target

f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22.dll
Size

51KB
MD5

059a8c67b1501bfcfa238690e3723def
SHA1

e52a5b9e718ccc6e1d2ad10caae341201eb2a836
SHA256

f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22
SHA512

3191e8727d88c41194c7eca921f3274c71b8d5bc1488dc5b45012b7b8310d99d1dc9705ea59f675065adead31a2fdb70f878f7133112a55fcb76853bd8b09e86
SSDEEP

1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLWJYH5:1dWubF3n9S91BF3fboCJYH5

Score

10^/10

gh0strat rat

Family

gh0strat

kinh.xmcxmr.com

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1564-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1564	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1564	1920	rundll32.exe	83
PID 1920 wrote to memory of 1564	1920	rundll32.exe	83
PID 1920 wrote to memory of 1564	1920	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6adb37383d25723fe092c383dbe7abf43e1097140fc15b3fdbf189caf172f22.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1564

memory/1564-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download