gh0strat | 94a22e28c764c75620f1860909e637e7edcdca7f4d0fe1f40070806c9901ccb5

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 02:29

Target

94a22e28c764c75620f1860909e637e7edcdca7f4d0fe1f40070806c9901ccb5.dll
Size

899KB
MD5

874fb7b71ac0ae47e9aeb9cf7927922f
SHA1

2ef0e503eab3d910f14db17c5ac7665da86cf4a2
SHA256

94a22e28c764c75620f1860909e637e7edcdca7f4d0fe1f40070806c9901ccb5
SHA512

51b3f7cb121ea936fd016dd50cef77b71c1f2acddc5353c48826e473e5f13ffb1c0080413dea65ff9f1a0871af51c8f7e8d68e6c14d015bac1aa28d1b369bfdb
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXY:7wqd87VY

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2028-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2028	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2028	2072	rundll32.exe	28
PID 2072 wrote to memory of 2028	2072	rundll32.exe	28
PID 2072 wrote to memory of 2028	2072	rundll32.exe	28
PID 2072 wrote to memory of 2028	2072	rundll32.exe	28
PID 2072 wrote to memory of 2028	2072	rundll32.exe	28
PID 2072 wrote to memory of 2028	2072	rundll32.exe	28
PID 2072 wrote to memory of 2028	2072	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\94a22e28c764c75620f1860909e637e7edcdca7f4d0fe1f40070806c9901ccb5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\94a22e28c764c75620f1860909e637e7edcdca7f4d0fe1f40070806c9901ccb5.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2028

memory/2028-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download