Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 00:24
Behavioral task
behavioral1
Sample
b56cdf901fd2ffa8cf098df43680d3bae5bd99c6946467eab0bce477ec7eefe6.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
b56cdf901fd2ffa8cf098df43680d3bae5bd99c6946467eab0bce477ec7eefe6.dll
-
Size
51KB
-
MD5
f632e578e0b4c3e2377d10bcb71dc829
-
SHA1
3fc5c244a7fe496964729164387c481589219f2b
-
SHA256
b56cdf901fd2ffa8cf098df43680d3bae5bd99c6946467eab0bce477ec7eefe6
-
SHA512
6aa0879d2f43279499c65718f60e729266fba2e9c257dc8300ded212e03c00867bc8979abeffd97cfaed2b13700acf33397c74b4c8ea1c1d03658c3d2ca35151
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLVJYH5:1dWubF3n9S91BF3fboxJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1264-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1264 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2740 wrote to memory of 1264 2740 rundll32.exe 28 PID 2740 wrote to memory of 1264 2740 rundll32.exe 28 PID 2740 wrote to memory of 1264 2740 rundll32.exe 28 PID 2740 wrote to memory of 1264 2740 rundll32.exe 28 PID 2740 wrote to memory of 1264 2740 rundll32.exe 28 PID 2740 wrote to memory of 1264 2740 rundll32.exe 28 PID 2740 wrote to memory of 1264 2740 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b56cdf901fd2ffa8cf098df43680d3bae5bd99c6946467eab0bce477ec7eefe6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b56cdf901fd2ffa8cf098df43680d3bae5bd99c6946467eab0bce477ec7eefe6.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:1264
-