Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 23:33
Behavioral task
behavioral1
Sample
232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6.dll
-
Size
899KB
-
MD5
d38ec9b3e7249cd21df1e01432f6929a
-
SHA1
c0b2d1494f75ed6f2077150254e5c911066d4a87
-
SHA256
232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6
-
SHA512
3e939bde0a7d4c47556797c78e544c03c488e4146b67e563ac39edc486c7e615f6f7f4626911128b276ce8779e08b6610ea75c85ec6fb0c716946ccb31f06c12
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXU:7wqd87VU
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3612-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3612 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 636 wrote to memory of 3612 636 rundll32.exe 82 PID 636 wrote to memory of 3612 636 rundll32.exe 82 PID 636 wrote to memory of 3612 636 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\232cdd883994f7210d0022c8df0cb5b80185fb677c43757a239bc19038073cc6.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:3612
-