gh0strat | 87c1624b0aac23e94dd26c3ce5c77b5af906ca40c99176e7e64558044dcb8c7e

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 03:45

Target

87c1624b0aac23e94dd26c3ce5c77b5af906ca40c99176e7e64558044dcb8c7e.dll
Size

51KB
MD5

086dc156bf61573c04aecba67d800800
SHA1

08c589058583ec21e75ea64751c289076d4f3e96
SHA256

87c1624b0aac23e94dd26c3ce5c77b5af906ca40c99176e7e64558044dcb8c7e
SHA512

60e757dd8f06a24cdc4fd5f32d60e824cad30b71ead4c1fc2f724748b207f7e03113d68e12b2767ea8d52a45a9615b5135a878ea541d9c0f17388f7d581fbeef
SSDEEP

1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLZJYH5:1dWubF3n9S91BF3fbo9JYH5

Score

10^/10

gh0strat rat

Family

gh0strat

kinh.xmcxmr.com

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2276-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2276	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2276	2908	rundll32.exe	28
PID 2908 wrote to memory of 2276	2908	rundll32.exe	28
PID 2908 wrote to memory of 2276	2908	rundll32.exe	28
PID 2908 wrote to memory of 2276	2908	rundll32.exe	28
PID 2908 wrote to memory of 2276	2908	rundll32.exe	28
PID 2908 wrote to memory of 2276	2908	rundll32.exe	28
PID 2908 wrote to memory of 2276	2908	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\87c1624b0aac23e94dd26c3ce5c77b5af906ca40c99176e7e64558044dcb8c7e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\87c1624b0aac23e94dd26c3ce5c77b5af906ca40c99176e7e64558044dcb8c7e.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2276

memory/2276-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download