Analysis
-
max time kernel
145s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 09:15
Behavioral task
behavioral1
Sample
9ddf58f405d1fd39fa3185acc549b247899e81419a7ecb5b2faaae377441755c.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
9ddf58f405d1fd39fa3185acc549b247899e81419a7ecb5b2faaae377441755c.dll
-
Size
899KB
-
MD5
c3b92b0764e936f115581df5c2dcfb39
-
SHA1
ee20f76a667a2e5b2d2a5591f5744c1ee3029b9e
-
SHA256
9ddf58f405d1fd39fa3185acc549b247899e81419a7ecb5b2faaae377441755c
-
SHA512
b9496cc806481533d35cb5bd4f19241840f03f4fc44f59777aa9981ba3c76c0a3bc55a614c028cd45e49482ddf45e1f2776b8f7a8f881c8f9e186904e13529c2
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXD:7wqd87VD
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4328-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4328 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 900 wrote to memory of 4328 900 rundll32.exe 86 PID 900 wrote to memory of 4328 900 rundll32.exe 86 PID 900 wrote to memory of 4328 900 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ddf58f405d1fd39fa3185acc549b247899e81419a7ecb5b2faaae377441755c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ddf58f405d1fd39fa3185acc549b247899e81419a7ecb5b2faaae377441755c.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:4328
-