Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 23:33
Behavioral task
behavioral1
Sample
232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6.dll
-
Size
899KB
-
MD5
d38ec9b3e7249cd21df1e01432f6929a
-
SHA1
c0b2d1494f75ed6f2077150254e5c911066d4a87
-
SHA256
232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6
-
SHA512
3e939bde0a7d4c47556797c78e544c03c488e4146b67e563ac39edc486c7e615f6f7f4626911128b276ce8779e08b6610ea75c85ec6fb0c716946ccb31f06c12
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXU:7wqd87VU
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2540-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2540 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2540 2976 rundll32.exe 28 PID 2976 wrote to memory of 2540 2976 rundll32.exe 28 PID 2976 wrote to memory of 2540 2976 rundll32.exe 28 PID 2976 wrote to memory of 2540 2976 rundll32.exe 28 PID 2976 wrote to memory of 2540 2976 rundll32.exe 28 PID 2976 wrote to memory of 2540 2976 rundll32.exe 28 PID 2976 wrote to memory of 2540 2976 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2540
-