Analysis
-
max time kernel
140s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 22:32
Behavioral task
behavioral1
Sample
480da1a068a4e3396f9cd82c5ff5ecb1976da40b7287782efc1a905cd71aeb79.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
480da1a068a4e3396f9cd82c5ff5ecb1976da40b7287782efc1a905cd71aeb79.dll
-
Size
899KB
-
MD5
9b0dd72c5d94029aba0c0f31833df215
-
SHA1
55a1af2868875ad382d459910b611c70db50ea6b
-
SHA256
480da1a068a4e3396f9cd82c5ff5ecb1976da40b7287782efc1a905cd71aeb79
-
SHA512
b7c06f94e7ebbc785b23a6127f4e87df459cea83f8432b49e11ae03df314ed619551a466717ba624ff231ecfd38fafa407ac748b53285b3e52fbda3044a2d969
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXY:7wqd87VY
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2992-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2992 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2928 wrote to memory of 2992 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2992 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2992 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2992 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2992 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2992 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2992 2928 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\480da1a068a4e3396f9cd82c5ff5ecb1976da40b7287782efc1a905cd71aeb79.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\480da1a068a4e3396f9cd82c5ff5ecb1976da40b7287782efc1a905cd71aeb79.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2992