gh0strat | 156959a62d3ddfb93e008d7a7cb7673ca717248f483a01cdac53209740f8b654

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 19:24

Target

156959a62d3ddfb93e008d7a7cb7673ca717248f483a01cdac53209740f8b654.dll
Size

899KB
MD5

e7fa9aab1c49328b3eacceff8c48f5fc
SHA1

1347390183dd45b614f238254e920335725ecffa
SHA256

156959a62d3ddfb93e008d7a7cb7673ca717248f483a01cdac53209740f8b654
SHA512

a17dd3995f033410af0f1abf04cb97385a29d2dc9c0ef5ab45050dc7dbe28d320b8ee8500590f524f91c7fc1c23cc1e9844824513c42f85c0d708735ef0cb583
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXK:7wqd87VK

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4364-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4364	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4364	3508	rundll32.exe	89
PID 3508 wrote to memory of 4364	3508	rundll32.exe	89
PID 3508 wrote to memory of 4364	3508	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\156959a62d3ddfb93e008d7a7cb7673ca717248f483a01cdac53209740f8b654.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\156959a62d3ddfb93e008d7a7cb7673ca717248f483a01cdac53209740f8b654.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4444,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8
1⤵
PID:1012

memory/4364-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download