Analysis
-
max time kernel
148s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 00:15
Behavioral task
behavioral1
Sample
c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62.dll
-
Size
899KB
-
MD5
4c14034e97d48b625eae6c2a1ade45d3
-
SHA1
6c7d1bfdf006e670dbca86a7479271aafbdcec47
-
SHA256
c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62
-
SHA512
5179dd2e0711c77b2d2e2ab5a0e75c9e03b81adf5e3e3bc9770ab5fa1c5c9e0febcdc93a8d43321f567e4a2f29ee2d68552c5025800e83def554ab1269493b1c
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXM:7wqd87VM
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2052-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2052 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 724 wrote to memory of 2052 724 rundll32.exe 83 PID 724 wrote to memory of 2052 724 rundll32.exe 83 PID 724 wrote to memory of 2052 724 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2052
-