gh0strat | 0abe743d80059541945a8eb417a662beeaa67b44d71770b9f7abfb472e3718e5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 18:31

Target

0abe743d80059541945a8eb417a662beeaa67b44d71770b9f7abfb472e3718e5.dll
Size

134KB
MD5

a738a013faec479b28aed22efdc81458
SHA1

b6804ec498ab2239d6ca0119648bc1e76ec5eef2
SHA256

0abe743d80059541945a8eb417a662beeaa67b44d71770b9f7abfb472e3718e5
SHA512

3da878f69593119bd03801527f9cf67c964446f25fbacc1e5b53df5f62090d30d40e9e7a0ea83111f4c5134c1df01388d6baf4602a0b76882cbac43da0e2204c
SSDEEP

3072:dhPm77B1ZDwB76mVlZ9FArVf0SA3MG5vY:vWd1ZDg7HXArVf65vY

Score

10^/10

gh0strat rat

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/3468-0-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral2/memory/3468-2-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral2/memory/3468-3-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat
behavioral2/memory/3468-4-0x0000000000400000-0x000000000040A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	211.57.200.17

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5040 set thread context of 3468	5040	rundll32.exe	84

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 5040	264	rundll32.exe	83
PID 264 wrote to memory of 5040	264	rundll32.exe	83
PID 264 wrote to memory of 5040	264	rundll32.exe	83
PID 5040 wrote to memory of 3468	5040	rundll32.exe	84
PID 5040 wrote to memory of 3468	5040	rundll32.exe	84
PID 5040 wrote to memory of 3468	5040	rundll32.exe	84
PID 5040 wrote to memory of 3468	5040	rundll32.exe	84
PID 5040 wrote to memory of 3468	5040	rundll32.exe	84
PID 5040 wrote to memory of 3468	5040	rundll32.exe	84
PID 5040 wrote to memory of 3468	5040	rundll32.exe	84
PID 5040 wrote to memory of 3468	5040	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0abe743d80059541945a8eb417a662beeaa67b44d71770b9f7abfb472e3718e5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0abe743d80059541945a8eb417a662beeaa67b44d71770b9f7abfb472e3718e5.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:3468

memory/3468-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3468-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3468-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3468-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download