gh0strat | 1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 22:04

Target

1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120_NeikiAnalytics.dll
Size

899KB
MD5

72ca27e549045bc4ad9e5670827b5790
SHA1

bea2ab31d1f0936c0a8bedbe1858f76dbaf910d7
SHA256

1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120
SHA512

b33b7029d61f8b549098cd7bef2586c90210ed6d44639b91d5b3503e1498b7a2e05844adcf081d3f82ebcbca027fcde5964e4f6fdf2a03bca09a78ee58c3280f
SSDEEP

24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXo:7wqd87Vo

Score

10^/10

Family

gh0strat

hackerinvasion.f3322.net

Gh0st RAT payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2272-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

2272 rundll32.exe

resource	yara_rule
behavioral1/memory/2272-0-0x0000000010000000-0x000000001014F000-memory.dmp	family_gh0strat

pid	process
2272	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2284 wrote to memory of 2272	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2272	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2272	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2272	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2272	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2272	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2272	2284	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120_NeikiAnalytics.dll,#1
2⤵
- Suspicious behavior: RenamesItself
PID:2272

memory/2272-0-0x0000000010000000-0x000000001014F000-memory.dmp

Filesize
1.3MB

Download