gh0strat | f362f4233bcbf4afc1e4c7fabf489d2c1a77c92cb07a6ec4863b8d33e35cb5c0

Analysis

max time kernel
140s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 07:55

Target

f362f4233bcbf4afc1e4c7fabf489d2c1a77c92cb07a6ec4863b8d33e35cb5c0.dll
Size

899KB
MD5

f783f90a0d5ac1871b543e45050cfb2b
SHA1

2dad5fd0cb5df0544cfc6d8f2d762191f1dab8d8
SHA256

f362f4233bcbf4afc1e4c7fabf489d2c1a77c92cb07a6ec4863b8d33e35cb5c0
SHA512

725413705b7407311c2eb490e961491ddd2363f6b2f92d1876faca08a2b0a0bdccab2aa9768a34d1a0a23a6f46e4f1457895633133600ca0414967215927b93c
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX6:7wqd87V6

Score

10^/10

gh0strat rat

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3812-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3812	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 3812	1072	rundll32.exe	86
PID 1072 wrote to memory of 3812	1072	rundll32.exe	86
PID 1072 wrote to memory of 3812	1072	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f362f4233bcbf4afc1e4c7fabf489d2c1a77c92cb07a6ec4863b8d33e35cb5c0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f362f4233bcbf4afc1e4c7fabf489d2c1a77c92cb07a6ec4863b8d33e35cb5c0.dll,#1
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3812

memory/3812-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download