gh0strat | d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17

Analysis

max time kernel
143s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 06:05

Target

d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17.dll
Size

899KB
MD5

7d67124660e4be132c8885cea438085d
SHA1

2905e6f813d74dcce9bd9015f501c594873f6e7e
SHA256

d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17
SHA512

0f5420f4a00c60abec3121f3976fe42cbf2e3c9edd50cb192bc1f8956da25de7d9f4bf235d219b43d55b8f290dbaee430ec229fab6cf95acead7c32e44398b68
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXb:7wqd87Vb

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2160-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2160	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2160	2704	rundll32.exe	83
PID 2704 wrote to memory of 2160	2704	rundll32.exe	83
PID 2704 wrote to memory of 2160	2704	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d373a6eb3984df17a8ef81d7a9e8cbef34902d59ed782cafc331f689e6ee0c17.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2160

memory/2160-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download