gh0strat | 617d0c8a9d94d5d81e94bcf860347e07f25a701cdc58b8c61d0d889fce5cc90c

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 21:01

Target

617d0c8a9d94d5d81e94bcf860347e07f25a701cdc58b8c61d0d889fce5cc90c.dll
Size

899KB
MD5

1abf743645acc3b3109b6ef6c923f084
SHA1

044c811420b74fb11e703a0deb3672aa405807b3
SHA256

617d0c8a9d94d5d81e94bcf860347e07f25a701cdc58b8c61d0d889fce5cc90c
SHA512

600f29f6831f2237856fc148d61a51f171bcd23da7e5d26ca0f5730362baff7ed468a0264773273d3a18236d7bb32af92b8d074bcefbeaf1a3047da8f716f7aa
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXM:7wqd87VM

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1652-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1652	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1652	1124	rundll32.exe	28
PID 1124 wrote to memory of 1652	1124	rundll32.exe	28
PID 1124 wrote to memory of 1652	1124	rundll32.exe	28
PID 1124 wrote to memory of 1652	1124	rundll32.exe	28
PID 1124 wrote to memory of 1652	1124	rundll32.exe	28
PID 1124 wrote to memory of 1652	1124	rundll32.exe	28
PID 1124 wrote to memory of 1652	1124	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\617d0c8a9d94d5d81e94bcf860347e07f25a701cdc58b8c61d0d889fce5cc90c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\617d0c8a9d94d5d81e94bcf860347e07f25a701cdc58b8c61d0d889fce5cc90c.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1652

memory/1652-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download