Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 22:29
Behavioral task
behavioral1
Sample
7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0.dll
Resource
win7-20231129-en
4 signatures
150 seconds
General
-
Target
7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0.dll
-
Size
899KB
-
MD5
3228b9fc83dbc4090137f492167985c6
-
SHA1
d8fef3b50c44003639266053900a96ec7a5183aa
-
SHA256
7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0
-
SHA512
d44017e6dd41fdb735f667e6dfe9c1e0e9c3a532d5edb5c80b697ecb4972f4c35c99c9c63215e0377960c00782deeec11732b9decdb31685ae45928538361293
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXg:7wqd87Vg
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2348-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2348 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2348 2328 rundll32.exe 28 PID 2328 wrote to memory of 2348 2328 rundll32.exe 28 PID 2328 wrote to memory of 2348 2328 rundll32.exe 28 PID 2328 wrote to memory of 2348 2328 rundll32.exe 28 PID 2328 wrote to memory of 2348 2328 rundll32.exe 28 PID 2328 wrote to memory of 2348 2328 rundll32.exe 28 PID 2328 wrote to memory of 2348 2328 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2348
-