Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 22:29
Behavioral task
behavioral1
Sample
dcf5fb9d9cb0c603a7eadbda13d9e4dfebe571d4ea4eee1aad6704039aff1bb5.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
dcf5fb9d9cb0c603a7eadbda13d9e4dfebe571d4ea4eee1aad6704039aff1bb5.dll
-
Size
51KB
-
MD5
20a8800500cbfeb5fdd590375e0ce7ef
-
SHA1
fded891a2395a940fdb41ac292f4e6b641fc3770
-
SHA256
dcf5fb9d9cb0c603a7eadbda13d9e4dfebe571d4ea4eee1aad6704039aff1bb5
-
SHA512
26febe79bcdc87eeb3e8fb5b4b441b6a6e3539635ebf7b97e83e8ca658364d7fee3138eb60460e6799381aed2fd480a2cc953cd1fa439db3fb808d5e77723ff7
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoL0JYH5:1dWubF3n9S91BF3fboQJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2076-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2076 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2076 2236 rundll32.exe 28 PID 2236 wrote to memory of 2076 2236 rundll32.exe 28 PID 2236 wrote to memory of 2076 2236 rundll32.exe 28 PID 2236 wrote to memory of 2076 2236 rundll32.exe 28 PID 2236 wrote to memory of 2076 2236 rundll32.exe 28 PID 2236 wrote to memory of 2076 2236 rundll32.exe 28 PID 2236 wrote to memory of 2076 2236 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dcf5fb9d9cb0c603a7eadbda13d9e4dfebe571d4ea4eee1aad6704039aff1bb5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dcf5fb9d9cb0c603a7eadbda13d9e4dfebe571d4ea4eee1aad6704039aff1bb5.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2076
-