Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 04:14
Behavioral task
behavioral1
Sample
4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a.dll
-
Size
899KB
-
MD5
c4180e2ab4d45c9ca727ef73a16ae13f
-
SHA1
f6c3514d0aea8ea8cba9b7239307db47abc5d085
-
SHA256
4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a
-
SHA512
65f21d6a69d0f01f44d5d7f263c36257b3b091d94f2b4945df62d9bd71f1993207a338bb52bed2b92ca60fe9023d6f7bb2786e9046b1d1f08a946fdf7548e948
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXZ:7wqd87VZ
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2932-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2932 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1812 wrote to memory of 2932 1812 rundll32.exe 28 PID 1812 wrote to memory of 2932 1812 rundll32.exe 28 PID 1812 wrote to memory of 2932 1812 rundll32.exe 28 PID 1812 wrote to memory of 2932 1812 rundll32.exe 28 PID 1812 wrote to memory of 2932 1812 rundll32.exe 28 PID 1812 wrote to memory of 2932 1812 rundll32.exe 28 PID 1812 wrote to memory of 2932 1812 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2932
-