Analysis
-
max time kernel
148s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 18:14
Behavioral task
behavioral1
Sample
2013ea2c16e25c465dd75c7304e5a0dca8f304e944352ba754ec70dbe25e5f71.dll
Resource
win7-20240220-en
4 signatures
150 seconds
General
-
Target
2013ea2c16e25c465dd75c7304e5a0dca8f304e944352ba754ec70dbe25e5f71.dll
-
Size
899KB
-
MD5
1d26431d10b6f291f8a930471d080714
-
SHA1
5eca08d3b3054c4f3bcae278599218fce6c26a37
-
SHA256
2013ea2c16e25c465dd75c7304e5a0dca8f304e944352ba754ec70dbe25e5f71
-
SHA512
adf8a8097d7e6db6b650525b9007b68e73f0f5567de6edf72959bdae16de42c257e20b6a25520ddc327582c39438c49f22afefb9e67e067fe6ec1da1572bc0ef
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXI:7wqd87VI
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3720-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3720 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 552 wrote to memory of 3720 552 rundll32.exe 85 PID 552 wrote to memory of 3720 552 rundll32.exe 85 PID 552 wrote to memory of 3720 552 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2013ea2c16e25c465dd75c7304e5a0dca8f304e944352ba754ec70dbe25e5f71.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2013ea2c16e25c465dd75c7304e5a0dca8f304e944352ba754ec70dbe25e5f71.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:3720
-