Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 15:41
Behavioral task
behavioral1
Sample
24eab9e8ed0bc102ef48849d8ab8df06bfcb97ea645595a137ff6dec97a03d97.dll
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
24eab9e8ed0bc102ef48849d8ab8df06bfcb97ea645595a137ff6dec97a03d97.dll
-
Size
899KB
-
MD5
d98eb4743d0c96320471e8fe05faff02
-
SHA1
5f964204c3260837f7b7e6850aae3c38d457c8fa
-
SHA256
24eab9e8ed0bc102ef48849d8ab8df06bfcb97ea645595a137ff6dec97a03d97
-
SHA512
dad5e49e8e115e15288b92f943acc0fb65218f1474cf13c8ef7bb12dfc3248da74c89efbc5270458741b5ce87e771b0e3eed3f5caea14f4a10f3cb5176d1e322
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX2:7wqd87V2
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2404-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Gh0strat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2404 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2404 2544 rundll32.exe 83 PID 2544 wrote to memory of 2404 2544 rundll32.exe 83 PID 2544 wrote to memory of 2404 2544 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24eab9e8ed0bc102ef48849d8ab8df06bfcb97ea645595a137ff6dec97a03d97.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24eab9e8ed0bc102ef48849d8ab8df06bfcb97ea645595a137ff6dec97a03d97.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2404
-