Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 22:29
Behavioral task
behavioral1
Sample
7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0.dll
Resource
win7-20231129-en
4 signatures
150 seconds
General
-
Target
7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0.dll
-
Size
899KB
-
MD5
3228b9fc83dbc4090137f492167985c6
-
SHA1
d8fef3b50c44003639266053900a96ec7a5183aa
-
SHA256
7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0
-
SHA512
d44017e6dd41fdb735f667e6dfe9c1e0e9c3a532d5edb5c80b697ecb4972f4c35c99c9c63215e0377960c00782deeec11732b9decdb31685ae45928538361293
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXg:7wqd87Vg
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/1656-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1656 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3164 wrote to memory of 1656 3164 rundll32.exe 82 PID 3164 wrote to memory of 1656 3164 rundll32.exe 82 PID 3164 wrote to memory of 1656 3164 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b525d4ac501f207e5232fe1eb7a3485a745215ecf500878ae0a8c98321c8ec0.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:1656
-