gh0strat | b1c9374ee26ee555050734fece54fa743e186fb71dd65f927c17e78d78771cee

Analysis

max time kernel
140s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 09:36

Target

b1c9374ee26ee555050734fece54fa743e186fb71dd65f927c17e78d78771cee.dll
Size

50KB
MD5

762beb410edec2aa5596cb29c738a4f3
SHA1

08f43ed1fe7ca8581cb91409e12b8bbefc269045
SHA256

b1c9374ee26ee555050734fece54fa743e186fb71dd65f927c17e78d78771cee
SHA512

3f8fc9c2b78b22515a4de75fb8caa93dffee013166deb8f34ec9a1883eed5a15a182f18fde92fd84af7b1ed01a83d9f5550ade85658976d424afd352c1be620c
SSDEEP

1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5bJYH:W5ReWjTrW9rNPgYoRJYH

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3228-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3228	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3228	1504	rundll32.exe	85
PID 1504 wrote to memory of 3228	1504	rundll32.exe	85
PID 1504 wrote to memory of 3228	1504	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1c9374ee26ee555050734fece54fa743e186fb71dd65f927c17e78d78771cee.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1c9374ee26ee555050734fece54fa743e186fb71dd65f927c17e78d78771cee.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3228

memory/3228-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download