Analysis
-
max time kernel
140s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 17:49
Behavioral task
behavioral1
Sample
bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9.dll
-
Size
899KB
-
MD5
046ea1af16b85123018980a6f6a57e0b
-
SHA1
d2d434668f4326408575a32d18f5e39c00f8c3e7
-
SHA256
bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9
-
SHA512
10264bb2d59632b0d705ce0a3b74d712dd5878ebae37ced8afe36efc3a64e38f628986be55aa028971e645d3cef3d3c92c04c28f21de91eed143d6e29a2cfc2f
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXU:7wqd87VU
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1872-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1872 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1872 1976 rundll32.exe 28 PID 1976 wrote to memory of 1872 1976 rundll32.exe 28 PID 1976 wrote to memory of 1872 1976 rundll32.exe 28 PID 1976 wrote to memory of 1872 1976 rundll32.exe 28 PID 1976 wrote to memory of 1872 1976 rundll32.exe 28 PID 1976 wrote to memory of 1872 1976 rundll32.exe 28 PID 1976 wrote to memory of 1872 1976 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:1872
-