gh0strat | d453670cc7dbcfeeda55557fe6955be30b559c493dc58bee9d5b5fa487ee102b

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 03:52

Target

d453670cc7dbcfeeda55557fe6955be30b559c493dc58bee9d5b5fa487ee102b.dll
Size

51KB
MD5

00739802ff3e4d74cae4398b54d7d8f1
SHA1

1c1fc599e075adb1ed47ec7e889139ca5ea1fa77
SHA256

d453670cc7dbcfeeda55557fe6955be30b559c493dc58bee9d5b5fa487ee102b
SHA512

57db5ee6228670e01d361e3b975007c9de44339598e68a8cd0ba791a2fed0eeabc8ef6823174ebf3e6a376709db919016f96f31a04bad99b856c15bc4f6ee70f
SSDEEP

1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLnJYH5:1dWubF3n9S91BF3fboTJYH5

Score

10^/10

gh0strat rat

Family

gh0strat

kinh.xmcxmr.com

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3996-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3996	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3996	4376	rundll32.exe	84
PID 4376 wrote to memory of 3996	4376	rundll32.exe	84
PID 4376 wrote to memory of 3996	4376	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d453670cc7dbcfeeda55557fe6955be30b559c493dc58bee9d5b5fa487ee102b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d453670cc7dbcfeeda55557fe6955be30b559c493dc58bee9d5b5fa487ee102b.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3996

memory/3996-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download