Analysis
-
max time kernel
145s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 00:30
Behavioral task
behavioral1
Sample
ec73acd60eae4e2c16bd0390b92c69ba009fc0b9744fc6876c0c8609d14fda46.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
ec73acd60eae4e2c16bd0390b92c69ba009fc0b9744fc6876c0c8609d14fda46.dll
-
Size
899KB
-
MD5
f4fb0cb1fc982cc8318bd2551ef42bd0
-
SHA1
c4e893a1061492d1b16ddee1d3b81e4afcdc2f39
-
SHA256
ec73acd60eae4e2c16bd0390b92c69ba009fc0b9744fc6876c0c8609d14fda46
-
SHA512
b9c9745c93c89d8fd9b642ca09e5ed05bc6a8f2823e4b364587a1b2c91a0617d2f0882b35ae25b1f61d7fb868ffdea07e9b530dc888e2ebe79489f6e898218f8
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXh:7wqd87Vh
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2472-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2472 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3192 wrote to memory of 2472 3192 rundll32.exe 82 PID 3192 wrote to memory of 2472 3192 rundll32.exe 82 PID 3192 wrote to memory of 2472 3192 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec73acd60eae4e2c16bd0390b92c69ba009fc0b9744fc6876c0c8609d14fda46.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec73acd60eae4e2c16bd0390b92c69ba009fc0b9744fc6876c0c8609d14fda46.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2472
-