gh0strat | 2dfdea38e07b82c85cec30e9075bed261c79ee0a0c02ba26de8bbb0c10cb9def

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 03:26

Target

2dfdea38e07b82c85cec30e9075bed261c79ee0a0c02ba26de8bbb0c10cb9def.dll
Size

899KB
MD5

2f0b65e2710b4e689611b41b8ec78c56
SHA1

eb5775d87c1d4c88056fac16857a3915708ad112
SHA256

2dfdea38e07b82c85cec30e9075bed261c79ee0a0c02ba26de8bbb0c10cb9def
SHA512

7322b6457d80b9fa9d9c4d4d3a7129c22fa5a79885645a26e35f7ab2b5a3bc99e5b9daadaeec160a75b3e77a97950928cad8d53a76c20678cfb957119758caa7
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXh:7wqd87Vh

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/704-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
704	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 704	388	rundll32.exe	84
PID 388 wrote to memory of 704	388	rundll32.exe	84
PID 388 wrote to memory of 704	388	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2dfdea38e07b82c85cec30e9075bed261c79ee0a0c02ba26de8bbb0c10cb9def.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2dfdea38e07b82c85cec30e9075bed261c79ee0a0c02ba26de8bbb0c10cb9def.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:704

memory/704-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download