Overview

overview

10

Static

static

3

43bc911d41...c5.dll

windows7-x64

4

43bc911d41...c5.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2025, 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43bc911d4184132dc67be0bfa91eeab77bc81a990a9f011ef3048c32ecb17ac5.dll

  • Size

    137KB

  • MD5

    22d818083c101f819e075dcb5499195c

  • SHA1

    e895d8d3abba9d7040c7b1f523ce62ea1433c76f

  • SHA256

    43bc911d4184132dc67be0bfa91eeab77bc81a990a9f011ef3048c32ecb17ac5

  • SHA512

    a6eb06410ff75d3760d89e4d7b6148c9271364590a94c79209929652c7ff54ac81c7c176ec074f6fb5874cd6c788d61de12b5900fb46bc4336c190de6470e1b0

  • SSDEEP

    3072:mR02WMK8RJGInTlhnaBanONVk40rpg4yeF/TyUGSK9FrafcUksPxx6iTUuX:D25GgFny61mrad

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Blocklisted process makes network request 1 IoCs
  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 16 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    persistence
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 15 IoCs

    Detects file using ACProtect software.

  • Drops file in System32 directory 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\43bc911d4184132dc67be0bfa91eeab77bc81a990a9f011ef3048c32ecb17ac5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\43bc911d4184132dc67be0bfa91eeab77bc81a990a9f011ef3048c32ecb17ac5.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Boot or Logon Autostart Execution: Port Monitors
      • Sets service image path in registry
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 616
        3⤵
        • Program crash
        PID:1116
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe -k rundll32
        3⤵
        • Boot or Logon Autostart Execution: Port Monitors
        • Sets service image path in registry
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4904
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3724 -ip 3724
    1⤵
      PID:2296
    • C:\Windows\system32\Spoolsv.exe
      Spoolsv.exe
      1⤵
        PID:5860
      • C:\Windows\system32\Spoolsv.exe
        Spoolsv.exe
        1⤵
        • Boot or Logon Autostart Execution: Port Monitors
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:5800

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\AppPatch\ComBack.Dll
        Filesize

        137KB

        MD5

        d965445b8ef91426ad70919b0ba31530

        SHA1

        b8d8930350436c1241ca60eb6b17beb5345570da

        SHA256

        af8c3f95ec4492d25742e0fcebdc4c3a8e46b0c8ea011ea267e789a2276084d9

        SHA512

        99a2aaac67a0dd0444b2880c6570252097798aeb2840103fe1c7192c999b8a96bd2845411f4ca8d7c76ace43553a641e579314d7f3af13e70191064ec95ffe4c

        Download Submit

      • C:\Windows\SysWOW64\Miscson.dll
        Filesize

        137KB

        MD5

        a092f9e6827fb6a007dfb499e109733a

        SHA1

        533f7f388d690e20ba71db9cc456e2fb7b0808a8

        SHA256

        37fc99c48cc9ac5433cb2fddf13a5663574b2fb2e773bd13810c7ba4de2026f9

        SHA512

        737355d539813e7840301d0521b17dca0d3403a60a005d974cb7cc4272c1ecf9ba52a1f425d540ba2ee3b9fb675884e0932cb7f26aa994e9fd40c7ae78a566db

        Download Submit

      • C:\Windows\SysWOW64\com\comb.dll
        Filesize

        128B

        MD5

        6b374ba9e5f2261d9c87a370292779aa

        SHA1

        38c055538564ded5631e706b4b97b2deabde6a01

        SHA256

        4418ce9e355210c7bffc5f0473380609b27e6aa236c3486ff00256356a334bf0

        SHA512

        3e41fb097018e78ac7e758dd6faf40f651c5bc0d03041719d67cc2026e7bb07df2f445cfa070b3b1574b7ff17d71baec74f28cf62545fb37b27abbbaaa8d1721

        Download Submit

      • C:\Windows\SysWOW64\scsimon.dll
        Filesize

        137KB

        MD5

        32d335360ba47e6c6bc2ca48fc69ae8e

        SHA1

        7816fec032823bdc4747abfc2fcc68f780393e93

        SHA256

        45bb75add1be524367d2f07dc1491077a86a07f1d7849963b26dbaea87871641

        SHA512

        bb8a9c8a6c8affd908ea033fd27239013e84ece55ad596b362d2b3568ddf8b4191eeb1ea57034e0ac64c20f1e879bfcec788178b34d3b00532baefe62dc0a38b

        Download Submit

      • memory/3724-12-0x0000000002DE0000-0x0000000002DFD000-memory.dmp

        Filesize

        116KB

        Download

      • memory/3724-18-0x0000000002DE0000-0x0000000002DFD000-memory.dmp

        Filesize

        116KB

        Download

      • memory/3724-39-0x0000000010000000-0x000000001001C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3724-10-0x0000000002DE0000-0x0000000002DFD000-memory.dmp

        Filesize

        116KB

        Download

      • memory/3724-6-0x0000000010000000-0x000000001001C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3724-7-0x0000000002DE0000-0x0000000002DFD000-memory.dmp

        Filesize

        116KB

        Download

      • memory/3724-14-0x0000000002DE0000-0x0000000002DFD000-memory.dmp

        Filesize

        116KB

        Download

      • memory/3724-13-0x0000000002DE0000-0x0000000002DFD000-memory.dmp

        Filesize

        116KB

        Download

      • memory/3724-5-0x0000000010000000-0x000000001001C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3724-41-0x0000000043E50000-0x0000000043E77000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4904-17-0x0000000001440000-0x0000000001467000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4904-30-0x0000000003150000-0x000000000316D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4904-28-0x0000000003150000-0x000000000316D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4904-31-0x0000000003150000-0x000000000316D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4904-26-0x0000000003150000-0x000000000316D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4904-29-0x0000000003150000-0x000000000316D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4904-25-0x0000000003150000-0x000000000316D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/4904-22-0x0000000001440000-0x0000000001467000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4904-42-0x0000000001440000-0x0000000001467000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4904-15-0x0000000001440000-0x0000000001467000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4904-16-0x0000000000E90000-0x0000000000EB3000-memory.dmp

        Filesize

        140KB

        Download