Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 18:49
Behavioral task
behavioral1
Sample
5f4f1c24a2b7a8cffe75d7b7a5dc695fae667acf7718dc58e4578fd2efc19fa9.dll
Resource
win7-20240419-en
4 signatures
150 seconds
General
-
Target
5f4f1c24a2b7a8cffe75d7b7a5dc695fae667acf7718dc58e4578fd2efc19fa9.dll
-
Size
50KB
-
MD5
1105d237664b91f7a6c4cc4e7f99cb08
-
SHA1
70ca1ea845e41732fea0705abaab51c08541174f
-
SHA256
5f4f1c24a2b7a8cffe75d7b7a5dc695fae667acf7718dc58e4578fd2efc19fa9
-
SHA512
dfa2ba7bf9bd43807717c74d89fecae51f8e3b72082b3b32c5a410548719d727e689985ae65a0f7e8355732515f3aa67f38904c8107aa3c4b8211b819e2679b9
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o57JYH:W5ReWjTrW9rNPgYolJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2180-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2180 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2180 1700 rundll32.exe 28 PID 1700 wrote to memory of 2180 1700 rundll32.exe 28 PID 1700 wrote to memory of 2180 1700 rundll32.exe 28 PID 1700 wrote to memory of 2180 1700 rundll32.exe 28 PID 1700 wrote to memory of 2180 1700 rundll32.exe 28 PID 1700 wrote to memory of 2180 1700 rundll32.exe 28 PID 1700 wrote to memory of 2180 1700 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f4f1c24a2b7a8cffe75d7b7a5dc695fae667acf7718dc58e4578fd2efc19fa9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f4f1c24a2b7a8cffe75d7b7a5dc695fae667acf7718dc58e4578fd2efc19fa9.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2180
-