gh0strat | 788fd703e37323feb67538eb1b8e4370ad7b3b902efac083fd1e3c2eedafbb72

Analysis

max time kernel
140s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 08:10

Target

788fd703e37323feb67538eb1b8e4370ad7b3b902efac083fd1e3c2eedafbb72.dll
Size

51KB
MD5

ab113b6e9637d5560e1693309b68adfe
SHA1

27d2c87fd09e9bf7bb8214cf3beca207b2332b3a
SHA256

788fd703e37323feb67538eb1b8e4370ad7b3b902efac083fd1e3c2eedafbb72
SHA512

8f33d6e52efd7dbcb36955ad32f7bfd3739425148f2cff88c26ed9a4420b41c1ba87ae321642062c4a13bdc4842c968e37301c615218a2517ddb9b5a605e8b2f
SSDEEP

1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoL2JYH5:1dWubF3n9S91BF3fboKJYH5

Score

10^/10

gh0strat rat

Family

gh0strat

kinh.xmcxmr.com

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2728-0-0x0000000010000000-0x0000000010011000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2728	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2728	3020	rundll32.exe	84
PID 3020 wrote to memory of 2728	3020	rundll32.exe	84
PID 3020 wrote to memory of 2728	3020	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\788fd703e37323feb67538eb1b8e4370ad7b3b902efac083fd1e3c2eedafbb72.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\788fd703e37323feb67538eb1b8e4370ad7b3b902efac083fd1e3c2eedafbb72.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2728

memory/2728-0-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download