gh0strat | 5d3c105c1f376174b16d38b87c84fc0c9a7a0295a4bd54f18abeb7f6910a58ce

Analysis

max time kernel
140s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 05:52

Target

5d3c105c1f376174b16d38b87c84fc0c9a7a0295a4bd54f18abeb7f6910a58ce.dll
Size

899KB
MD5

1dbf00241b450bfb6f01c31e673a183e
SHA1

f0797ae7ac39d64764e553a743d87f6734805ed3
SHA256

5d3c105c1f376174b16d38b87c84fc0c9a7a0295a4bd54f18abeb7f6910a58ce
SHA512

845fbe8a8e87778e947fba72ab1f089d2d8af5ea810bb58b507c6600936347ea7531cf6ce611a38d6338d5c87d03b19cdd0703046a7e4589ee33a1f16e74d5d3
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXM:7wqd87VM

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2424-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2424	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2424	1504	rundll32.exe	84
PID 1504 wrote to memory of 2424	1504	rundll32.exe	84
PID 1504 wrote to memory of 2424	1504	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d3c105c1f376174b16d38b87c84fc0c9a7a0295a4bd54f18abeb7f6910a58ce.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d3c105c1f376174b16d38b87c84fc0c9a7a0295a4bd54f18abeb7f6910a58ce.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2424

memory/2424-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download