Analysis
-
max time kernel
145s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 19:43
Behavioral task
behavioral1
Sample
9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555.dll
Resource
win7-20240611-en
4 signatures
150 seconds
General
-
Target
9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555.dll
-
Size
51KB
-
MD5
ffde749f0ff900a8f24e423129a12c5b
-
SHA1
d3ece51d58a81fda41b26b2cd54d9aae63059248
-
SHA256
9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555
-
SHA512
27eefc05f47dc087cc054d233edaf5f43a308b0346d8e353ff1f0ccf6b18bbb953408241fd5edf0c10f8323f8e88da29917edcd33e14e7a49dafd1b56090d3e4
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoL4JYH5:1dWubF3n9S91BF3fboUJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4144-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4144 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3520 wrote to memory of 4144 3520 rundll32.exe 81 PID 3520 wrote to memory of 4144 3520 rundll32.exe 81 PID 3520 wrote to memory of 4144 3520 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b0cf6d51ee902649088a4bdabdb934b47ec5d2a8ec3eb849ed4d5678f666555.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:4144
-