gh0strat | ba1c0b55957acff031a5c001436984ee69ee24decc565557dbb617e6c28ec0f1

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 10:29

Target

ba1c0b55957acff031a5c001436984ee69ee24decc565557dbb617e6c28ec0f1.dll
Size

899KB
MD5

67a84bf19984114129b101ba81782c2c
SHA1

2c8e719bf20fb21d532707d3b9c789aa37c1486b
SHA256

ba1c0b55957acff031a5c001436984ee69ee24decc565557dbb617e6c28ec0f1
SHA512

323bbed368e8d897e3b77f3c3faf9c463cd2dfb20ce15a8d0143060d9b3b9e5996ab52081b1556d3fb734464733b84754b6bfcffab3282fabace717469033d8d
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXl:7wqd87Vl

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1524-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1524	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1524	2116	rundll32.exe	28
PID 2116 wrote to memory of 1524	2116	rundll32.exe	28
PID 2116 wrote to memory of 1524	2116	rundll32.exe	28
PID 2116 wrote to memory of 1524	2116	rundll32.exe	28
PID 2116 wrote to memory of 1524	2116	rundll32.exe	28
PID 2116 wrote to memory of 1524	2116	rundll32.exe	28
PID 2116 wrote to memory of 1524	2116	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba1c0b55957acff031a5c001436984ee69ee24decc565557dbb617e6c28ec0f1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba1c0b55957acff031a5c001436984ee69ee24decc565557dbb617e6c28ec0f1.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1524

memory/1524-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download