Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 08:14
Behavioral task
behavioral1
Sample
32be99ae2f646ac264fa133f836f43e2b72b916c21e74c01c3f55b3aa9a3249b.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
32be99ae2f646ac264fa133f836f43e2b72b916c21e74c01c3f55b3aa9a3249b.dll
-
Size
899KB
-
MD5
f01ecb71cdd69cb2063f2814e5d05cf5
-
SHA1
37cd29b4c75e943005dcb0be77bc93fed36cd052
-
SHA256
32be99ae2f646ac264fa133f836f43e2b72b916c21e74c01c3f55b3aa9a3249b
-
SHA512
c64c4e9907c5068d34480cb0130836ada01e4a2a83e73e579fab05b9d664f339863a8917d3c6929736c7661f4c09bee228846bb7ad59ecc2cb294cb471796b9d
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXM:7wqd87VM
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2064-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2064 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2064 2112 rundll32.exe 28 PID 2112 wrote to memory of 2064 2112 rundll32.exe 28 PID 2112 wrote to memory of 2064 2112 rundll32.exe 28 PID 2112 wrote to memory of 2064 2112 rundll32.exe 28 PID 2112 wrote to memory of 2064 2112 rundll32.exe 28 PID 2112 wrote to memory of 2064 2112 rundll32.exe 28 PID 2112 wrote to memory of 2064 2112 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32be99ae2f646ac264fa133f836f43e2b72b916c21e74c01c3f55b3aa9a3249b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32be99ae2f646ac264fa133f836f43e2b72b916c21e74c01c3f55b3aa9a3249b.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2064
-