Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 19:43
Behavioral task
behavioral1
Sample
388365d170bf5db7a9df31d212c2e3548bcb0321b8001f7b82cfc3679b072637.dll
Resource
win7-20240508-en
4 signatures
150 seconds
General
-
Target
388365d170bf5db7a9df31d212c2e3548bcb0321b8001f7b82cfc3679b072637.dll
-
Size
899KB
-
MD5
af8a330701f0096150610f0f08d5bbe3
-
SHA1
3eaea378151b6ef54f0ac6d00f716a1fae73f7b6
-
SHA256
388365d170bf5db7a9df31d212c2e3548bcb0321b8001f7b82cfc3679b072637
-
SHA512
59166df76c1178de84f016750caace7fa0b627737a9ee6134372f601ab3a801ce79bec53a1f29f1782c24e665ef157612f12cf256a2dec733d51c43b6ccedba5
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXk:7wqd87Vk
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2272-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2272 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28 PID 2284 wrote to memory of 2272 2284 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\388365d170bf5db7a9df31d212c2e3548bcb0321b8001f7b82cfc3679b072637.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\388365d170bf5db7a9df31d212c2e3548bcb0321b8001f7b82cfc3679b072637.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2272
-