gh0strat | 4cc4a35f2dc3df4e3bdbfebd45f2a271bf9cb0a1d3fb1ad25976aec52909ee6c

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 11:05

Target

4cc4a35f2dc3df4e3bdbfebd45f2a271bf9cb0a1d3fb1ad25976aec52909ee6c.dll
Size

899KB
MD5

bf9ec1378e86c6ddfb5d146b331e305e
SHA1

6b13f064ef616cc35c97247e44a4ef1fcc5f4438
SHA256

4cc4a35f2dc3df4e3bdbfebd45f2a271bf9cb0a1d3fb1ad25976aec52909ee6c
SHA512

24f943a7195c54f1763a956e53ce464345fe83ebd19b0e3e11f92a04efe7b1b069f4f7934591d457a725e4027750ff72eb1e06f4d3326d8dc21a980fbae502f4
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXU:7wqd87VU

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2204-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2204	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2204	2176	rundll32.exe	28
PID 2176 wrote to memory of 2204	2176	rundll32.exe	28
PID 2176 wrote to memory of 2204	2176	rundll32.exe	28
PID 2176 wrote to memory of 2204	2176	rundll32.exe	28
PID 2176 wrote to memory of 2204	2176	rundll32.exe	28
PID 2176 wrote to memory of 2204	2176	rundll32.exe	28
PID 2176 wrote to memory of 2204	2176	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4cc4a35f2dc3df4e3bdbfebd45f2a271bf9cb0a1d3fb1ad25976aec52909ee6c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4cc4a35f2dc3df4e3bdbfebd45f2a271bf9cb0a1d3fb1ad25976aec52909ee6c.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2204

memory/2204-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download