Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 08:25
Behavioral task
behavioral1
Sample
b016590f3b96548f6c97c3539cb7c3aa251795b4b7dbf08881905f6fdaae5cb6.dll
Resource
win7-20240508-en
windows7-x64
4 signatures
150 seconds
General
-
Target
b016590f3b96548f6c97c3539cb7c3aa251795b4b7dbf08881905f6fdaae5cb6.dll
-
Size
50KB
-
MD5
256a74274f8343491a107bae0333c1e0
-
SHA1
0bc838e62f441402b68c90a16dfef8e127faa175
-
SHA256
b016590f3b96548f6c97c3539cb7c3aa251795b4b7dbf08881905f6fdaae5cb6
-
SHA512
c142293412bd6713cfbfa3f447372bab850e2c165217d918e211ba4822deda7d2a3cb54251ad7ed1e3a7d407747a45974a2a761fb96a6bad61e236c634c4238f
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5/JYH:W5ReWjTrW9rNPgYoNJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1988-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1988 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1616 wrote to memory of 1988 1616 rundll32.exe 28 PID 1616 wrote to memory of 1988 1616 rundll32.exe 28 PID 1616 wrote to memory of 1988 1616 rundll32.exe 28 PID 1616 wrote to memory of 1988 1616 rundll32.exe 28 PID 1616 wrote to memory of 1988 1616 rundll32.exe 28 PID 1616 wrote to memory of 1988 1616 rundll32.exe 28 PID 1616 wrote to memory of 1988 1616 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b016590f3b96548f6c97c3539cb7c3aa251795b4b7dbf08881905f6fdaae5cb6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b016590f3b96548f6c97c3539cb7c3aa251795b4b7dbf08881905f6fdaae5cb6.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:1988
-