Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 08:14
Behavioral task
behavioral1
Sample
c0bf979826d54c9282aed9f188503998df4f1b184fb5f54354422ff41d984eaa.dll
Resource
win7-20240215-en
4 signatures
150 seconds
General
-
Target
c0bf979826d54c9282aed9f188503998df4f1b184fb5f54354422ff41d984eaa.dll
-
Size
50KB
-
MD5
6eca9987a3ff8484313d06cd04ccc952
-
SHA1
9740d5e670d0d5fb5bb1353923c9a50da5b4856f
-
SHA256
c0bf979826d54c9282aed9f188503998df4f1b184fb5f54354422ff41d984eaa
-
SHA512
c4f1ea52bb69738fd51cc588373c1b0ee4f66169c277801f6a29c38c942ae61850213b5902174c69086447864130405b432430895dfb6733a6a0c4a8380f383a
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5YJYH:W5ReWjTrW9rNPgYoqJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/3012-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3012 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3000 wrote to memory of 3012 3000 rundll32.exe 28 PID 3000 wrote to memory of 3012 3000 rundll32.exe 28 PID 3000 wrote to memory of 3012 3000 rundll32.exe 28 PID 3000 wrote to memory of 3012 3000 rundll32.exe 28 PID 3000 wrote to memory of 3012 3000 rundll32.exe 28 PID 3000 wrote to memory of 3012 3000 rundll32.exe 28 PID 3000 wrote to memory of 3012 3000 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c0bf979826d54c9282aed9f188503998df4f1b184fb5f54354422ff41d984eaa.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c0bf979826d54c9282aed9f188503998df4f1b184fb5f54354422ff41d984eaa.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:3012
-