Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 22:32
Behavioral task
behavioral1
Sample
ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee.dll
-
Size
899KB
-
MD5
753feb341f38b432e28f2dc644db535a
-
SHA1
fb85051ad8f7f9c304c2ab7fed326c16d47cdb15
-
SHA256
ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee
-
SHA512
48b36e2677310fcdf2b4f74b8c14881eb2a5055b35a278972e62433ab038e1c571b57fd0230255829a3489ae4b5afae3dc2543fd1264697bbc6ede7160f33ebb
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXq:7wqd87Vq
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2160-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2160 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2160 2164 rundll32.exe 28 PID 2164 wrote to memory of 2160 2164 rundll32.exe 28 PID 2164 wrote to memory of 2160 2164 rundll32.exe 28 PID 2164 wrote to memory of 2160 2164 rundll32.exe 28 PID 2164 wrote to memory of 2160 2164 rundll32.exe 28 PID 2164 wrote to memory of 2160 2164 rundll32.exe 28 PID 2164 wrote to memory of 2160 2164 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2160
-