Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 19:43
Behavioral task
behavioral1
Sample
9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555.dll
Resource
win7-20240611-en
4 signatures
150 seconds
General
-
Target
9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555.dll
-
Size
51KB
-
MD5
ffde749f0ff900a8f24e423129a12c5b
-
SHA1
d3ece51d58a81fda41b26b2cd54d9aae63059248
-
SHA256
9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555
-
SHA512
27eefc05f47dc087cc054d233edaf5f43a308b0346d8e353ff1f0ccf6b18bbb953408241fd5edf0c10f8323f8e88da29917edcd33e14e7a49dafd1b56090d3e4
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoL4JYH5:1dWubF3n9S91BF3fboUJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2236-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2236 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2236 2500 rundll32.exe 28 PID 2500 wrote to memory of 2236 2500 rundll32.exe 28 PID 2500 wrote to memory of 2236 2500 rundll32.exe 28 PID 2500 wrote to memory of 2236 2500 rundll32.exe 28 PID 2500 wrote to memory of 2236 2500 rundll32.exe 28 PID 2500 wrote to memory of 2236 2500 rundll32.exe 28 PID 2500 wrote to memory of 2236 2500 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2236
-