Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 19:01
Behavioral task
behavioral1
Sample
ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77.dll
-
Size
50KB
-
MD5
7fc17999e2396852ea7ad3e813745ddd
-
SHA1
d099202eaf4ffa17c6b2a636f2a4ca434b7598c6
-
SHA256
ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77
-
SHA512
c71e51750c9279067aaeed7f2f99364f026ce6259c544702bc8ad506a783f50bff1bea4db59ae752d04ca6b5362c8c053bf4c0fddecfac06ff832afd8511313d
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5/JYH:W5ReWjTrW9rNPgYoRJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2292-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2292 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2980 wrote to memory of 2292 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2292 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2292 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2292 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2292 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2292 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2292 2980 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ebbcf9de741971e7c3ae571b29020c2945a4f03d0f57f376f4172ce18308eb77.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2292
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2292-0-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB