Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 04:51
Behavioral task
behavioral1
Sample
274fc8dcd8842fbe187252c3921dd1f7f80009895f787bda2d3aa94c54911a9f.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
274fc8dcd8842fbe187252c3921dd1f7f80009895f787bda2d3aa94c54911a9f.dll
-
Size
899KB
-
MD5
2a4719d017bb798392dc1d4b01e67832
-
SHA1
58233c466a3f29dab142eb37806d26ec9ec2ff00
-
SHA256
274fc8dcd8842fbe187252c3921dd1f7f80009895f787bda2d3aa94c54911a9f
-
SHA512
8cf4b7a1497827c8d7a570606cafbac5a9776dd9dd8c0222aa739035a2f402eb866d3ca130b83811c0bfd126abca3b22101f9520bbe12bb1e8c42be5d59ef095
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXY:7wqd87VY
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 1748 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1632 wrote to memory of 1748 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1748 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1748 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1748 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1748 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1748 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1748 1632 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\274fc8dcd8842fbe187252c3921dd1f7f80009895f787bda2d3aa94c54911a9f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\274fc8dcd8842fbe187252c3921dd1f7f80009895f787bda2d3aa94c54911a9f.dll,#12⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1748-0-0x0000000010000000-0x000000001014F000-memory.dmpFilesize
1.3MB