Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 22:29
Behavioral task
behavioral1
Sample
a00e7ff9d91d687fa648d44c8f33f113671bb766c8512cb388e4bc7dd14094ce.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
a00e7ff9d91d687fa648d44c8f33f113671bb766c8512cb388e4bc7dd14094ce.dll
-
Size
50KB
-
MD5
5cb76017f67fc36bb829db4274d57816
-
SHA1
96237ad680d4244b03c4ec03d9fcf1af77c4f31d
-
SHA256
a00e7ff9d91d687fa648d44c8f33f113671bb766c8512cb388e4bc7dd14094ce
-
SHA512
ee8aa2570827665b4cc5e538eb380f5677f0f6cbec3807c7ab588fa4a2b63b0214951def0bb875a7b6f0d9f56e1032d9595e4474c7f58759d182279484351718
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5VJYH:W5ReWjTrW9rNPgYoDJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2212-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2212 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1904 wrote to memory of 2212 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 2212 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 2212 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 2212 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 2212 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 2212 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 2212 1904 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a00e7ff9d91d687fa648d44c8f33f113671bb766c8512cb388e4bc7dd14094ce.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a00e7ff9d91d687fa648d44c8f33f113671bb766c8512cb388e4bc7dd14094ce.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2212