gh0strat | 3d896891f3bb504e176a85b39eeaca21d3ce962b01ebb78b28f0bd48d5527968

Analysis

max time kernel
142s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 10:40

Target

3d896891f3bb504e176a85b39eeaca21d3ce962b01ebb78b28f0bd48d5527968.dll
Size

899KB
MD5

b3b1c33a402d5a98c03b9130d133f249
SHA1

0f80f5a25090bf642c9b33e15e8b55a0b318c129
SHA256

3d896891f3bb504e176a85b39eeaca21d3ce962b01ebb78b28f0bd48d5527968
SHA512

92d141ea1dc247b8ad9b13f4e94348f5b2014f7e7e5a735b06eb882d7594d817d15e9ab34e7b5d91f4e8a004208cb5d546c43a317fa14dbe06fa4b8fddda8a7a
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXf:7wqd87Vf

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/5072-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5072	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 5072	2944	rundll32.exe	81
PID 2944 wrote to memory of 5072	2944	rundll32.exe	81
PID 2944 wrote to memory of 5072	2944	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d896891f3bb504e176a85b39eeaca21d3ce962b01ebb78b28f0bd48d5527968.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d896891f3bb504e176a85b39eeaca21d3ce962b01ebb78b28f0bd48d5527968.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:5072

memory/5072-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download