Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 17:49
Behavioral task
behavioral1
Sample
bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9.dll
-
Size
899KB
-
MD5
046ea1af16b85123018980a6f6a57e0b
-
SHA1
d2d434668f4326408575a32d18f5e39c00f8c3e7
-
SHA256
bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9
-
SHA512
10264bb2d59632b0d705ce0a3b74d712dd5878ebae37ced8afe36efc3a64e38f628986be55aa028971e645d3cef3d3c92c04c28f21de91eed143d6e29a2cfc2f
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXU:7wqd87VU
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4220-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4220 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4480 wrote to memory of 4220 4480 rundll32.exe 80 PID 4480 wrote to memory of 4220 4480 rundll32.exe 80 PID 4480 wrote to memory of 4220 4480 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bf164ed7989b7a171c75907007e441b8d1089389924ba7231f525401c872ace9.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:4220
-