Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 18:30
Behavioral task
behavioral1
Sample
0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5.dll
-
Size
899KB
-
MD5
6c17de8cbe7fff4f101e5a9457cdb036
-
SHA1
39a05fbb37f5f1f535f64d6ab26d6adc3562412d
-
SHA256
0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5
-
SHA512
801febd8418f708aeb521385831cf27b45afe6265c2fdd2ab94c56ada5885e2a302c88df9faecaff6d9174ac8d1ee0731e10a1e42595b764cbd7c14f30a02f37
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXR:7wqd87VR
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2976-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2976 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2980 wrote to memory of 2976 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2976 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2976 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2976 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2976 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2976 2980 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2976 2980 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2976