Analysis
-
max time kernel
145s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 18:30
Behavioral task
behavioral1
Sample
0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5.dll
-
Size
899KB
-
MD5
6c17de8cbe7fff4f101e5a9457cdb036
-
SHA1
39a05fbb37f5f1f535f64d6ab26d6adc3562412d
-
SHA256
0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5
-
SHA512
801febd8418f708aeb521385831cf27b45afe6265c2fdd2ab94c56ada5885e2a302c88df9faecaff6d9174ac8d1ee0731e10a1e42595b764cbd7c14f30a02f37
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXR:7wqd87VR
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2516-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2516 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4296 wrote to memory of 2516 4296 rundll32.exe rundll32.exe PID 4296 wrote to memory of 2516 4296 rundll32.exe rundll32.exe PID 4296 wrote to memory of 2516 4296 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fd70f5432ce440a4f7b7c3724b2488b50fd442c63072017f51163bdc9cf81d5.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2516