Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 15:33
Behavioral task
behavioral1
Sample
06b6d8e0daa1e9649d6853b3bd39421af0324f662a2e9a3f2c81a6f487b64ef3.dll
Resource
win7-20240215-en
4 signatures
150 seconds
General
-
Target
06b6d8e0daa1e9649d6853b3bd39421af0324f662a2e9a3f2c81a6f487b64ef3.dll
-
Size
51KB
-
MD5
87346e29b661bcd864c0761540359077
-
SHA1
ba41945e7469973d6c7b70b8360a5594492fc076
-
SHA256
06b6d8e0daa1e9649d6853b3bd39421af0324f662a2e9a3f2c81a6f487b64ef3
-
SHA512
7eb71b71c3c6d77bc0642a73eb7a55716bb5a15c31cf3eaa0a428c09dbd65330cc02d5629fc07792da66e4fa55956f6cdd755f04556633aa362fc4f643682be3
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLFJYH5:1dWubF3n9S91BF3fboJJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2604 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2320 wrote to memory of 2604 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2604 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2604 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2604 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2604 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2604 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2604 2320 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06b6d8e0daa1e9649d6853b3bd39421af0324f662a2e9a3f2c81a6f487b64ef3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06b6d8e0daa1e9649d6853b3bd39421af0324f662a2e9a3f2c81a6f487b64ef3.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2604