Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 08:14
Behavioral task
behavioral1
Sample
74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd.dll
-
Size
899KB
-
MD5
48ada9c0a98c7ef880ad2872d42a722f
-
SHA1
dd71eeef342c5e09c93a86fe5fde952a3f70ff92
-
SHA256
74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd
-
SHA512
30934ce441d31014410e83b424b3dc8fa3c3c0c349c46c1068f8b9adbaee5d9335b08de053cb193fddaa60e3f17a5bff5532b358a6d83f2a25f7dc179b920a36
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXc:7wqd87Vc
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2488-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2488 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2488 2020 rundll32.exe 28 PID 2020 wrote to memory of 2488 2020 rundll32.exe 28 PID 2020 wrote to memory of 2488 2020 rundll32.exe 28 PID 2020 wrote to memory of 2488 2020 rundll32.exe 28 PID 2020 wrote to memory of 2488 2020 rundll32.exe 28 PID 2020 wrote to memory of 2488 2020 rundll32.exe 28 PID 2020 wrote to memory of 2488 2020 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2488
-