gh0strat | 8878847dc7e5439b63546598ddd7600a524cbb5b076fe7c7d5bd58322aef4f8f

Analysis

max time kernel
140s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 00:55

Target

8878847dc7e5439b63546598ddd7600a524cbb5b076fe7c7d5bd58322aef4f8f.dll
Size

899KB
MD5

b9faaa006f2604efe7ed046a79cb0849
SHA1

b5df037cfd7e97ed249e8fc1ae7268d07188b544
SHA256

8878847dc7e5439b63546598ddd7600a524cbb5b076fe7c7d5bd58322aef4f8f
SHA512

5a988da9fa69e4b4a20611914c13ddac6a6079707aaa57f30bc72cb9b861c54f47484bc32ad03c52c40871e9e2ca8921e56f49592f5bc22e50a910f7c1e0feba
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXz:7wqd87Vz

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2096-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2096	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2096	2368	rundll32.exe	31
PID 2368 wrote to memory of 2096	2368	rundll32.exe	31
PID 2368 wrote to memory of 2096	2368	rundll32.exe	31
PID 2368 wrote to memory of 2096	2368	rundll32.exe	31
PID 2368 wrote to memory of 2096	2368	rundll32.exe	31
PID 2368 wrote to memory of 2096	2368	rundll32.exe	31
PID 2368 wrote to memory of 2096	2368	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8878847dc7e5439b63546598ddd7600a524cbb5b076fe7c7d5bd58322aef4f8f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8878847dc7e5439b63546598ddd7600a524cbb5b076fe7c7d5bd58322aef4f8f.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2096

memory/2096-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download