gh0strat | d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17

Analysis

max time kernel
140s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 06:05

Target

d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17.dll
Size

899KB
MD5

7d67124660e4be132c8885cea438085d
SHA1

2905e6f813d74dcce9bd9015f501c594873f6e7e
SHA256

d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17
SHA512

0f5420f4a00c60abec3121f3976fe42cbf2e3c9edd50cb192bc1f8956da25de7d9f4bf235d219b43d55b8f290dbaee430ec229fab6cf95acead7c32e44398b68
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXb:7wqd87Vb

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1732-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1732	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1732	2376	rundll32.exe	30
PID 2376 wrote to memory of 1732	2376	rundll32.exe	30
PID 2376 wrote to memory of 1732	2376	rundll32.exe	30
PID 2376 wrote to memory of 1732	2376	rundll32.exe	30
PID 2376 wrote to memory of 1732	2376	rundll32.exe	30
PID 2376 wrote to memory of 1732	2376	rundll32.exe	30
PID 2376 wrote to memory of 1732	2376	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1732

memory/1732-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download