Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
07-05-2024 15:21
General
-
Target
9ce73e05aa931f30f9dc58b8c019ca47a974e76e064a62b6edeee98bda7ca568.dll
-
Size
899KB
-
MD5
d7233188167084e8b0247fde1a1d3445
-
SHA1
5df12028853133911db975d5babc5c4d60982dc5
-
SHA256
9ce73e05aa931f30f9dc58b8c019ca47a974e76e064a62b6edeee98bda7ca568
-
SHA512
950cef9c66c11f34a876da411b4dbb41836df65fdc1cb184ae3e850b74dada5af0ff5f2978bc76d5d48ca1312d55f159c32f6afc48653c2435421c939b2fa797
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXK:7wqd87VK
Score
10/10
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ce73e05aa931f30f9dc58b8c019ca47a974e76e064a62b6edeee98bda7ca568.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ce73e05aa931f30f9dc58b8c019ca47a974e76e064a62b6edeee98bda7ca568.dll,#12⤵
- Suspicious behavior: RenamesItself
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB