Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 15:30
Behavioral task
behavioral1
Sample
81f93dd509f42923adaa799804188c7095ba7f69eb26003facba4739e2f73411.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
81f93dd509f42923adaa799804188c7095ba7f69eb26003facba4739e2f73411.dll
-
Size
899KB
-
MD5
cf250711b162e48b54959ed4a356e9b9
-
SHA1
81e53ae2769e0a2a1b419e0a32e9eefbc5cb8808
-
SHA256
81f93dd509f42923adaa799804188c7095ba7f69eb26003facba4739e2f73411
-
SHA512
f7628956765f251582a27f5ff6620b7ef895770faba727198380f2c04a92dbe2683143168cde12c083bfa7c5255932ae935c77ef9f225dea78b2fc19d39662f0
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXt:7wqd87Vt
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2212-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2212 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 3000 wrote to memory of 2212 3000 rundll32.exe rundll32.exe PID 3000 wrote to memory of 2212 3000 rundll32.exe rundll32.exe PID 3000 wrote to memory of 2212 3000 rundll32.exe rundll32.exe PID 3000 wrote to memory of 2212 3000 rundll32.exe rundll32.exe PID 3000 wrote to memory of 2212 3000 rundll32.exe rundll32.exe PID 3000 wrote to memory of 2212 3000 rundll32.exe rundll32.exe PID 3000 wrote to memory of 2212 3000 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f93dd509f42923adaa799804188c7095ba7f69eb26003facba4739e2f73411.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\81f93dd509f42923adaa799804188c7095ba7f69eb26003facba4739e2f73411.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2212