gh0strat | ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 19:01

Target

ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77.dll
Size

50KB
MD5

7fc17999e2396852ea7ad3e813745ddd
SHA1

d099202eaf4ffa17c6b2a636f2a4ca434b7598c6
SHA256

ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77
SHA512

c71e51750c9279067aaeed7f2f99364f026ce6259c544702bc8ad506a783f50bff1bea4db59ae752d04ca6b5362c8c053bf4c0fddecfac06ff832afd8511313d
SSDEEP

1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5/JYH:W5ReWjTrW9rNPgYoRJYH

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2292-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

2292 rundll32.exe

pid	process
2292	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 2292	2980	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77.dll,#1
2⤵
- Suspicious behavior: RenamesItself
PID:2292

memory/2292-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download