Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 10:43
Behavioral task
behavioral1
Sample
a1a21e25b682078411e2997af4d9f34fd55f436222aab6741504db1f8a03fbd0.dll
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
a1a21e25b682078411e2997af4d9f34fd55f436222aab6741504db1f8a03fbd0.dll
-
Size
899KB
-
MD5
b4a0f6b08d318b9668909f610b60d07d
-
SHA1
1c2113f8c54f1ad91a54a425370b110a218c99ba
-
SHA256
a1a21e25b682078411e2997af4d9f34fd55f436222aab6741504db1f8a03fbd0
-
SHA512
feb8ad3cfc688e74280b8bcf65156c73598a892766205079040b1b2722328f0d98a481cb56afe230b6c0af9a5de28e9e3aedd1c3a9886b309a5d768457a64273
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXd:7wqd87Vd
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4844-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 4844 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 624 wrote to memory of 4844 624 rundll32.exe rundll32.exe PID 624 wrote to memory of 4844 624 rundll32.exe rundll32.exe PID 624 wrote to memory of 4844 624 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a1a21e25b682078411e2997af4d9f34fd55f436222aab6741504db1f8a03fbd0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a1a21e25b682078411e2997af4d9f34fd55f436222aab6741504db1f8a03fbd0.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:4844