Analysis
-
max time kernel
149s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 04:14
Behavioral task
behavioral1
Sample
4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a.dll
-
Size
899KB
-
MD5
c4180e2ab4d45c9ca727ef73a16ae13f
-
SHA1
f6c3514d0aea8ea8cba9b7239307db47abc5d085
-
SHA256
4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a
-
SHA512
65f21d6a69d0f01f44d5d7f263c36257b3b091d94f2b4945df62d9bd71f1993207a338bb52bed2b92ca60fe9023d6f7bb2786e9046b1d1f08a946fdf7548e948
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXZ:7wqd87VZ
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4412-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4412 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4396 wrote to memory of 4412 4396 rundll32.exe 85 PID 4396 wrote to memory of 4412 4396 rundll32.exe 85 PID 4396 wrote to memory of 4412 4396 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4704da2d06e33de289de80bdcdcb709b002c19150fa7dc64e94727e7dc7ea29a.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:4412
-