Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 22:32
Behavioral task
behavioral1
Sample
ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee.dll
-
Size
899KB
-
MD5
753feb341f38b432e28f2dc644db535a
-
SHA1
fb85051ad8f7f9c304c2ab7fed326c16d47cdb15
-
SHA256
ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee
-
SHA512
48b36e2677310fcdf2b4f74b8c14881eb2a5055b35a278972e62433ab038e1c571b57fd0230255829a3489ae4b5afae3dc2543fd1264697bbc6ede7160f33ebb
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXq:7wqd87Vq
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2064-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2064 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3184 wrote to memory of 2064 3184 rundll32.exe 82 PID 3184 wrote to memory of 2064 3184 rundll32.exe 82 PID 3184 wrote to memory of 2064 3184 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef7d7ce1dd5bcf1d441020515a3bdab087ef0cc800e1016f31e99e69ef9c2fee.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2064
-