Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 11:52
Behavioral task
behavioral1
Sample
84d62c497b58e221bdc94d9bc8b6352c5ab8963be7b128fd23d3c8e2cc5f0638.dll
Resource
win7-20240708-en
windows7-x64
4 signatures
150 seconds
General
-
Target
84d62c497b58e221bdc94d9bc8b6352c5ab8963be7b128fd23d3c8e2cc5f0638.dll
-
Size
51KB
-
MD5
60d4e1909d8311f60958347c2114a38d
-
SHA1
f73266508410e59f96e905954cb3a67efcef14ed
-
SHA256
84d62c497b58e221bdc94d9bc8b6352c5ab8963be7b128fd23d3c8e2cc5f0638
-
SHA512
33f2ad4748957ca85ccb8b3569574998e916bd568b0c8fc3575c858d09a3618dd2ac9b9e31f997e55a2c7149969fa9b63b4c3a24859f554e1c9f4529b7b99a73
-
SSDEEP
1536:1WmqoiBMNbMWtYNif/n9S91BF3frnoLsJYH5:1dWubF3n9S91BF3fbowJYH5
Malware Config
Extracted
Family
gh0strat
C2
kinh.xmcxmr.com
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3668-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3668 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4960 wrote to memory of 3668 4960 rundll32.exe 84 PID 4960 wrote to memory of 3668 4960 rundll32.exe 84 PID 4960 wrote to memory of 3668 4960 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84d62c497b58e221bdc94d9bc8b6352c5ab8963be7b128fd23d3c8e2cc5f0638.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84d62c497b58e221bdc94d9bc8b6352c5ab8963be7b128fd23d3c8e2cc5f0638.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:3668
-