Analysis
-
max time kernel
140s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 14:22
Behavioral task
behavioral1
Sample
323cf0dbdf113b0a686174d000bbcdffd8c4eb7425bee304d5f7fa935521bba2.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
323cf0dbdf113b0a686174d000bbcdffd8c4eb7425bee304d5f7fa935521bba2.dll
-
Size
899KB
-
MD5
c1f9abfb8a65726c89a68756c5fd7e9b
-
SHA1
a46c585bfbc67bc7ca27e53e734af252df3c3011
-
SHA256
323cf0dbdf113b0a686174d000bbcdffd8c4eb7425bee304d5f7fa935521bba2
-
SHA512
6f7a3a097198c21b1d4f1f9b2525a0919121f81ccd352cbb3ae3f47b6a6a302dad6db59395dc93885e56a16a34d60dabb22a84020252f1fd29ad4b5ffe1bc67d
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXi:7wqd87Vi
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2836-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2836 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4392 wrote to memory of 2836 4392 rundll32.exe 84 PID 4392 wrote to memory of 2836 4392 rundll32.exe 84 PID 4392 wrote to memory of 2836 4392 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\323cf0dbdf113b0a686174d000bbcdffd8c4eb7425bee304d5f7fa935521bba2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\323cf0dbdf113b0a686174d000bbcdffd8c4eb7425bee304d5f7fa935521bba2.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2836
-