Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 18:30
Behavioral task
behavioral1
Sample
aecd4208ffafb8cdf30daa6e38065094eff67bdfbcaabd235f9d310206d1d913.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
aecd4208ffafb8cdf30daa6e38065094eff67bdfbcaabd235f9d310206d1d913.dll
-
Size
899KB
-
MD5
aecec0af979fa6e2348b3669813b555c
-
SHA1
2b5773ee18121bc2fc75c08ca1811c9a6d617dd9
-
SHA256
aecd4208ffafb8cdf30daa6e38065094eff67bdfbcaabd235f9d310206d1d913
-
SHA512
f6d7ca01b4f1e90073e97b031e3aee637f7721f69c992cec7739a6231b5cb2623edbaca6d5220b4d6601b82a6dae5c2037b7e102bfcd44c5aac46e686c224c42
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXw:7wqd87Vw
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2976-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2976 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1916 wrote to memory of 2976 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2976 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2976 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2976 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2976 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2976 1916 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2976 1916 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aecd4208ffafb8cdf30daa6e38065094eff67bdfbcaabd235f9d310206d1d913.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aecd4208ffafb8cdf30daa6e38065094eff67bdfbcaabd235f9d310206d1d913.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2976