gh0strat | 5a961130130e022a37ab73a12601df5c0cb8be30e3588a75d6cd8a26d28ca5eb

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 18:15

Target

5a961130130e022a37ab73a12601df5c0cb8be30e3588a75d6cd8a26d28ca5eb.dll
Size

50KB
MD5

2a693de8656dd37ccc595cc8101904f0
SHA1

e0dffada4bcf4a5c8938a21746728bf13099103b
SHA256

5a961130130e022a37ab73a12601df5c0cb8be30e3588a75d6cd8a26d28ca5eb
SHA512

ba60065958617aa9908328909e5cb16ca8ab524ca8b0a1b9c8617e7cec834aae6e1705fd138a000e5e082f4b4309b1e292c2ba1f4ce0b31b653a9cb9c0dd0e91
SSDEEP

1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5DJYH:W5ReWjTrW9rNPgYo1JYH

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2992-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

2992 rundll32.exe

pid	process
2992	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2928 wrote to memory of 2992	2928	rundll32.exe	rundll32.exe
PID 2928 wrote to memory of 2992	2928	rundll32.exe	rundll32.exe
PID 2928 wrote to memory of 2992	2928	rundll32.exe	rundll32.exe
PID 2928 wrote to memory of 2992	2928	rundll32.exe	rundll32.exe
PID 2928 wrote to memory of 2992	2928	rundll32.exe	rundll32.exe
PID 2928 wrote to memory of 2992	2928	rundll32.exe	rundll32.exe
PID 2928 wrote to memory of 2992	2928	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a961130130e022a37ab73a12601df5c0cb8be30e3588a75d6cd8a26d28ca5eb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a961130130e022a37ab73a12601df5c0cb8be30e3588a75d6cd8a26d28ca5eb.dll,#1
2⤵
- Suspicious behavior: RenamesItself
PID:2992

memory/2992-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download