Analysis
-
max time kernel
146s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 18:46
Behavioral task
behavioral1
Sample
b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11.dll
Resource
win7-20240419-en
4 signatures
150 seconds
General
-
Target
b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11.dll
-
Size
899KB
-
MD5
3728ccd766ddb58f552e1f6dff4b3d7f
-
SHA1
7c5d68600ca82e24bf33fd1a14e7d585dd750e90
-
SHA256
b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11
-
SHA512
3b5cc9c4907af8198c38dd21704a7c65b452c98698f879ede5876287d9db690553a6f9705e5b40a1d12a842c70ca3fa546f8c89dd596ab3069fda0966adaea68
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXQ:7wqd87VQ
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4512-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4512 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1784 wrote to memory of 4512 1784 rundll32.exe 81 PID 1784 wrote to memory of 4512 1784 rundll32.exe 81 PID 1784 wrote to memory of 4512 1784 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b53571fd233e3d7feb12cf1a24ffd33e1415ccc492f068e3ee4e412802b0ad11.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:4512
-