Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 08:14
Behavioral task
behavioral1
Sample
74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd.dll
-
Size
899KB
-
MD5
48ada9c0a98c7ef880ad2872d42a722f
-
SHA1
dd71eeef342c5e09c93a86fe5fde952a3f70ff92
-
SHA256
74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd
-
SHA512
30934ce441d31014410e83b424b3dc8fa3c3c0c349c46c1068f8b9adbaee5d9335b08de053cb193fddaa60e3f17a5bff5532b358a6d83f2a25f7dc179b920a36
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXc:7wqd87Vc
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2408-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2408 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4900 wrote to memory of 2408 4900 rundll32.exe 90 PID 4900 wrote to memory of 2408 4900 rundll32.exe 90 PID 4900 wrote to memory of 2408 4900 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74ad445c8fc45036d4da6952ea68a837e6b17fd0990f1564a5991690085f20fd.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3608 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:3540