gh0strat | 53e7b73bdfe80be5b44384f1591bf0e93cd38b22070ec3b806333b838400d7e2

Analysis

max time kernel
140s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 19:39

Target

53e7b73bdfe80be5b44384f1591bf0e93cd38b22070ec3b806333b838400d7e2.dll
Size

899KB
MD5

25b803328a1dff151a3b06d77efbd126
SHA1

1ed60a93506966cd1f08b4f62232f017002ce15b
SHA256

53e7b73bdfe80be5b44384f1591bf0e93cd38b22070ec3b806333b838400d7e2
SHA512

78b0898a0e749fdb04dde8ae25e4e1cda4fd208e061febbebadccdd353cdd6b203831257690b804aa20f807eeff25b513340ffbae368144faf0630bdce09d763
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX9:7wqd87V9

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2228-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

2228 rundll32.exe

pid	process
2228	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1628 wrote to memory of 2228	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 2228	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 2228	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 2228	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 2228	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 2228	1628	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 2228	1628	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\53e7b73bdfe80be5b44384f1591bf0e93cd38b22070ec3b806333b838400d7e2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\53e7b73bdfe80be5b44384f1591bf0e93cd38b22070ec3b806333b838400d7e2.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2228

memory/2228-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download