gh0strat | c64afbc4551afc448da4f814b8727a31b85d9b47db1539706bfac15e4af1079a

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 22:38

Target

c64afbc4551afc448da4f814b8727a31b85d9b47db1539706bfac15e4af1079a.dll
Size

50KB
MD5

f728cd39ca0f24e6addb1d1f3f9cdf5f
SHA1

e216a1d8745dfc61dee5f1bb70e878dcc66a109c
SHA256

c64afbc4551afc448da4f814b8727a31b85d9b47db1539706bfac15e4af1079a
SHA512

197cf92f5ad8757390da84ba5fecc2d57d7775f2fe07f3dc3447596f4fd02ba22fb90a6e64f1f17b02e8c1d2cb12736189a0009203d4af981bcaeb7aa85a9217
SSDEEP

1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5wJYH:W5ReWjTrW9rNPgYoaJYH

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3612-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3612	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 3612	3792	rundll32.exe	82
PID 3792 wrote to memory of 3612	3792	rundll32.exe	82
PID 3792 wrote to memory of 3612	3792	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c64afbc4551afc448da4f814b8727a31b85d9b47db1539706bfac15e4af1079a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c64afbc4551afc448da4f814b8727a31b85d9b47db1539706bfac15e4af1079a.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3612

memory/3612-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download