gh0strat | 3a7ceca1335f3e53016bc43c1e1f46674b9e2a94d0e5a2066d3957776fe86f39

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 17:22

Target

3a7ceca1335f3e53016bc43c1e1f46674b9e2a94d0e5a2066d3957776fe86f39.dll
Size

50KB
MD5

03ed84a41e6a22def017d1b9b29929de
SHA1

cefcd73ac9d5efaadceabfcfa27ccdc47cb722e1
SHA256

3a7ceca1335f3e53016bc43c1e1f46674b9e2a94d0e5a2066d3957776fe86f39
SHA512

c82b19aedcc80b03ccdcc0597dcb4b3e05c633b4e4f08861d88ace3f7bd0e0876eaf4fea84269114f22df48794f728f9498ab4e35f076fe11edac0fbe43a9b06
SSDEEP

1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5WJYH:W5ReWjTrW9rNPgYo8JYH

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2404-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2404	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 2404	1436	rundll32.exe	80
PID 1436 wrote to memory of 2404	1436	rundll32.exe	80
PID 1436 wrote to memory of 2404	1436	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a7ceca1335f3e53016bc43c1e1f46674b9e2a94d0e5a2066d3957776fe86f39.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3a7ceca1335f3e53016bc43c1e1f46674b9e2a94d0e5a2066d3957776fe86f39.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2404

memory/2404-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download