Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 18:46
Behavioral task
behavioral1
Sample
b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11.dll
Resource
win7-20240419-en
4 signatures
150 seconds
General
-
Target
b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11.dll
-
Size
899KB
-
MD5
3728ccd766ddb58f552e1f6dff4b3d7f
-
SHA1
7c5d68600ca82e24bf33fd1a14e7d585dd750e90
-
SHA256
b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11
-
SHA512
3b5cc9c4907af8198c38dd21704a7c65b452c98698f879ede5876287d9db690553a6f9705e5b40a1d12a842c70ca3fa546f8c89dd596ab3069fda0966adaea68
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXQ:7wqd87VQ
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2452-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2452 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2452 1740 rundll32.exe 28 PID 1740 wrote to memory of 2452 1740 rundll32.exe 28 PID 1740 wrote to memory of 2452 1740 rundll32.exe 28 PID 1740 wrote to memory of 2452 1740 rundll32.exe 28 PID 1740 wrote to memory of 2452 1740 rundll32.exe 28 PID 1740 wrote to memory of 2452 1740 rundll32.exe 28 PID 1740 wrote to memory of 2452 1740 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2452
-