Analysis
-
max time kernel
140s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 15:36
Behavioral task
behavioral1
Sample
316a2374df492789c437e170bc6c292cc8fef8211c9355355fd2b1b96a460128.dll
Resource
win7-20240708-en
windows7-x64
4 signatures
150 seconds
General
-
Target
316a2374df492789c437e170bc6c292cc8fef8211c9355355fd2b1b96a460128.dll
-
Size
899KB
-
MD5
901247e619460f03b3922ed3311c1e00
-
SHA1
180afa007ef0af322a11f3818f8de76842ef09ed
-
SHA256
316a2374df492789c437e170bc6c292cc8fef8211c9355355fd2b1b96a460128
-
SHA512
30d8a40268560f803c4e9a73d7336f1f62eb55bfd6463c7fa40f73c3254b43b6fa76194ff9504508d5d865acde4fdb30ea3ece275b6c91204d368113bd34f893
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXI:7wqd87VI
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4444-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4444 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 372 wrote to memory of 4444 372 rundll32.exe 83 PID 372 wrote to memory of 4444 372 rundll32.exe 83 PID 372 wrote to memory of 4444 372 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\316a2374df492789c437e170bc6c292cc8fef8211c9355355fd2b1b96a460128.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\316a2374df492789c437e170bc6c292cc8fef8211c9355355fd2b1b96a460128.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:4444
-