Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 03:09
Behavioral task
behavioral1
Sample
1b26bad6f2f89f4dd63267a54acde9f470d1acc72efb6235c638aaa62a50b122.dll
Resource
win7-20240419-en
4 signatures
150 seconds
General
-
Target
1b26bad6f2f89f4dd63267a54acde9f470d1acc72efb6235c638aaa62a50b122.dll
-
Size
899KB
-
MD5
f7a75721f7996a0aa038f66705213a5e
-
SHA1
2419219483066173e924c5414df87e0a09e73b13
-
SHA256
1b26bad6f2f89f4dd63267a54acde9f470d1acc72efb6235c638aaa62a50b122
-
SHA512
baa7864a1a38efa0196d1a987b27e95b8e342e2d96e7cf3a001e8715a990098b9c08deb5ac6fde5e7084fcb5852ff06d1ef7ea60e2239e2861f47eb1ba0973f3
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PX5:7wqd87V5
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2772-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2772 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3248 wrote to memory of 2772 3248 rundll32.exe rundll32.exe PID 3248 wrote to memory of 2772 3248 rundll32.exe rundll32.exe PID 3248 wrote to memory of 2772 3248 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1b26bad6f2f89f4dd63267a54acde9f470d1acc72efb6235c638aaa62a50b122.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1b26bad6f2f89f4dd63267a54acde9f470d1acc72efb6235c638aaa62a50b122.dll,#12⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2772-0-0x0000000010000000-0x000000001014F000-memory.dmpFilesize
1.3MB