Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 16:48
Behavioral task
behavioral1
Sample
715f7537468b339d14877dc4d668f2e6079cfb5941e22e5c268fc2e598bc43b2.dll
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
715f7537468b339d14877dc4d668f2e6079cfb5941e22e5c268fc2e598bc43b2.dll
-
Size
50KB
-
MD5
21510d4f2cb02524357289de73a8cc3d
-
SHA1
3be7a78244292209dacab861d52a0e95bb79989d
-
SHA256
715f7537468b339d14877dc4d668f2e6079cfb5941e22e5c268fc2e598bc43b2
-
SHA512
3b3a13e5691ee306bb9a9b40f5b1a546afe4ae2832a2c440054445854a2a13d64f4a600ad33f8e506c18e440f576efd410b0e6057655c07dfc09e1a575238597
-
SSDEEP
1536:WD1N4TeeWMWfPbp2WTrW9L3JPPgJ+o5ZJYH:W5ReWjTrW9rNPgYoHJYH
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2988-0-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat -
Gh0strat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2988 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1480 wrote to memory of 2988 1480 rundll32.exe 30 PID 1480 wrote to memory of 2988 1480 rundll32.exe 30 PID 1480 wrote to memory of 2988 1480 rundll32.exe 30 PID 1480 wrote to memory of 2988 1480 rundll32.exe 30 PID 1480 wrote to memory of 2988 1480 rundll32.exe 30 PID 1480 wrote to memory of 2988 1480 rundll32.exe 30 PID 1480 wrote to memory of 2988 1480 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\715f7537468b339d14877dc4d668f2e6079cfb5941e22e5c268fc2e598bc43b2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\715f7537468b339d14877dc4d668f2e6079cfb5941e22e5c268fc2e598bc43b2.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2988
-