gh0strat | 747ddd5f8e78ba2a75e11bd6e3f49990d6dd23512f7fa61b303a1df4853916b8

Analysis

max time kernel
145s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 07:11

Target

747ddd5f8e78ba2a75e11bd6e3f49990d6dd23512f7fa61b303a1df4853916b8.dll
Size

899KB
MD5

aabe6a3bce8a8f62e2c504592b8c3af6
SHA1

c60c86dd40b6b791ee303eed4ef3a76c150fb178
SHA256

747ddd5f8e78ba2a75e11bd6e3f49990d6dd23512f7fa61b303a1df4853916b8
SHA512

69537cc911c9047aa82effb680e4922768b6ba044405eeaf1d174e540500e33d715c1aa32a119008b2b50b6f91144aaa5382530db1f779bc1d7e4697daa957b4
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXw:7wqd87Vw

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4824-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4824	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 4824	4180	rundll32.exe	83
PID 4180 wrote to memory of 4824	4180	rundll32.exe	83
PID 4180 wrote to memory of 4824	4180	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\747ddd5f8e78ba2a75e11bd6e3f49990d6dd23512f7fa61b303a1df4853916b8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\747ddd5f8e78ba2a75e11bd6e3f49990d6dd23512f7fa61b303a1df4853916b8.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:4824

memory/4824-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download