gh0strat | 2e962505456dd8da1cfeb9ed2cea4dd6dc686814436d51ffac2a3b6359341257

Analysis

max time kernel
142s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 23:38

Target

2e962505456dd8da1cfeb9ed2cea4dd6dc686814436d51ffac2a3b6359341257.dll
Size

899KB
MD5

a20728bee239b98b8339740b889e8e03
SHA1

d230bf521618ba303647f21d2b672b0e8de67719
SHA256

2e962505456dd8da1cfeb9ed2cea4dd6dc686814436d51ffac2a3b6359341257
SHA512

9ee33a295290881feb39d78f4ee721f187042cc589530423bd1dcb4c6c1354f8aecbe126329c527dc775271a48add82d32dd666175ce70bb397310e3cc9ce48c
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXK:7wqd87VK

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1280-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1280	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1280	2208	rundll32.exe	28
PID 2208 wrote to memory of 1280	2208	rundll32.exe	28
PID 2208 wrote to memory of 1280	2208	rundll32.exe	28
PID 2208 wrote to memory of 1280	2208	rundll32.exe	28
PID 2208 wrote to memory of 1280	2208	rundll32.exe	28
PID 2208 wrote to memory of 1280	2208	rundll32.exe	28
PID 2208 wrote to memory of 1280	2208	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e962505456dd8da1cfeb9ed2cea4dd6dc686814436d51ffac2a3b6359341257.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e962505456dd8da1cfeb9ed2cea4dd6dc686814436d51ffac2a3b6359341257.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1280

memory/1280-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download