Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 08:14
Behavioral task
behavioral1
Sample
4d92b085b528ea5241d387b81a8299d507f1d714c866c322c397c3e1e204221f.dll
Resource
win7-20240220-en
4 signatures
150 seconds
General
-
Target
4d92b085b528ea5241d387b81a8299d507f1d714c866c322c397c3e1e204221f.dll
-
Size
899KB
-
MD5
97d6dba4e8871c5a09356bbc616c512c
-
SHA1
b2fe9fa228b59d05310a6070b0c2d4d706f20869
-
SHA256
4d92b085b528ea5241d387b81a8299d507f1d714c866c322c397c3e1e204221f
-
SHA512
fbe616430365d52ae7a76b9fc67b79f01d6cc71fc36d7ff433068695217a96dae349eda76be9bc2849751dc3968d6948ba6204538b2eb9acb93a61edf77c6469
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX3:7wqd87V3
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2016-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2016 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2016 2468 rundll32.exe 28 PID 2468 wrote to memory of 2016 2468 rundll32.exe 28 PID 2468 wrote to memory of 2016 2468 rundll32.exe 28 PID 2468 wrote to memory of 2016 2468 rundll32.exe 28 PID 2468 wrote to memory of 2016 2468 rundll32.exe 28 PID 2468 wrote to memory of 2016 2468 rundll32.exe 28 PID 2468 wrote to memory of 2016 2468 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d92b085b528ea5241d387b81a8299d507f1d714c866c322c397c3e1e204221f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d92b085b528ea5241d387b81a8299d507f1d714c866c322c397c3e1e204221f.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2016
-