Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 01:44
Behavioral task
behavioral1
Sample
cb203993d23dddfe720784dbc198fc9a6f947b272d7e28e1c4dee123761bb6b9.dll
Resource
win7-20240708-en
6 signatures
150 seconds
General
-
Target
cb203993d23dddfe720784dbc198fc9a6f947b272d7e28e1c4dee123761bb6b9.dll
-
Size
899KB
-
MD5
447fc7e31d9742e61ef41bd7ca80f0e2
-
SHA1
faaed3052cf78ca3ba43bf09de10a3f73e1ee215
-
SHA256
cb203993d23dddfe720784dbc198fc9a6f947b272d7e28e1c4dee123761bb6b9
-
SHA512
aa92747aedf3c8e43b4a28a3f3b135b7c84d261e09d5c45a6b3b8cf8567a412022ac4bdd4885136edac9b31c935f45b07927f7b6f7ce4eb60f8babeec30e51a7
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXb:7wqd87Vb
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2092-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Gh0strat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2092 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2092 2780 rundll32.exe 84 PID 2780 wrote to memory of 2092 2780 rundll32.exe 84 PID 2780 wrote to memory of 2092 2780 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb203993d23dddfe720784dbc198fc9a6f947b272d7e28e1c4dee123761bb6b9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb203993d23dddfe720784dbc198fc9a6f947b272d7e28e1c4dee123761bb6b9.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2092
-