gh0strat | 8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08

General

Target

8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe
Size

83KB
MD5

05c6cb96e97f3ee0b93ae3652bcb8fff
SHA1

8a58bef69e11ec7943289ccf58e320f10a76162c
SHA256

8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08
SHA512

5873da7d6b248d827b8b0602e36809a803ca4205f378fbfa03574000a1674eee1d8c2b6770526b699d7ef02abd033393e693f5f515e22328f4dc1f47356d55f4
SSDEEP

1536:56xsm+IVWw9Yu6JEfjYeJvn08XfF9ulpXudVnH2OPc+q:ExsfOPBdn007e8dNWQc+

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/1380-64-0x0000000000400000-0x0000000000434000-memory.dmp	family_gh0strat
behavioral1/memory/824-67-0x0000000000400000-0x0000000000434000-memory.dmp	family_gh0strat
behavioral1/memory/544-70-0x0000000000400000-0x0000000000434000-memory.dmp	family_gh0strat
behavioral1/memory/700-71-0x0000000000400000-0x0000000000434000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 3 IoCs

pid	Process
824	Sogou.exe
544	Sougou.exe
700	Sogou.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	upx
behavioral1/files/0x0008000000005c51-57.dat	upx
behavioral1/files/0x0008000000005c51-59.dat	upx
behavioral1/files/0x000a0000000122f3-60.dat	upx
behavioral1/memory/1380-64-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/files/0x000a0000000122f3-62.dat	upx
behavioral1/files/0x0008000000005c51-63.dat	upx
behavioral1/memory/824-67-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/files/0x0008000000005c51-68.dat	upx
behavioral1/memory/544-70-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/700-71-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1380	8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe
544	Sougou.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xiaoyu = "C:\\progra~1\\Common Files\\Sogou.exe"	8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Sougou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xiaoyu = "C:\\progra~1\\Common Files\\Sogou.exe"	Sougou.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sougou.exe	Sogou.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\progra~1\Common Files\Sogou.exe	8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe
File created	C:\progra~1\Common Files\Sogou.exe	Sougou.exe
File created	C:\progra~1\Common Files\Sogou.exe	8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 824	1380	8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe	27
PID 1380 wrote to memory of 824	1380	8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe	27
PID 1380 wrote to memory of 824	1380	8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe	27
PID 1380 wrote to memory of 824	1380	8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe	27
PID 544 wrote to memory of 700	544	Sougou.exe	29
PID 544 wrote to memory of 700	544	Sougou.exe	29
PID 544 wrote to memory of 700	544	Sougou.exe	29
PID 544 wrote to memory of 700	544	Sougou.exe	29

C:\Users\Admin\AppData\Local\Temp\8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe
"C:\Users\Admin\AppData\Local\Temp\8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1380
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:824

C:\Windows\SysWOW64\Sougou.exe
C:\Windows\SysWOW64\Sougou.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:544
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Common Files\Sogou.exe

Filesize
83KB

MD5
05c6cb96e97f3ee0b93ae3652bcb8fff

SHA1
8a58bef69e11ec7943289ccf58e320f10a76162c

SHA256
8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08

SHA512
5873da7d6b248d827b8b0602e36809a803ca4205f378fbfa03574000a1674eee1d8c2b6770526b699d7ef02abd033393e693f5f515e22328f4dc1f47356d55f4

Download Submit
C:\PROGRA~1\Common Files\Sogou.exe

Filesize
83KB

MD5
05c6cb96e97f3ee0b93ae3652bcb8fff

SHA1
8a58bef69e11ec7943289ccf58e320f10a76162c

SHA256
8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08

SHA512
5873da7d6b248d827b8b0602e36809a803ca4205f378fbfa03574000a1674eee1d8c2b6770526b699d7ef02abd033393e693f5f515e22328f4dc1f47356d55f4

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.1MB

MD5
6a2ea4775c7ad239cfcc779c13882028

SHA1
e24a5252846c8335d467cfec426cf60a4e67e1ce

SHA256
557fb7a363e7aa12be5d0d398e3967f04bb701c2cbd9e30d4ccc1fdca6c9160a

SHA512
02ac0684bebdfd17c4ae0805781542a08c917cf3b9c5f53f6b5287ec618b1d47ad0591281517edb5ef24032a1e7a4754a85cbec1493b35dc3f9ee552ce1caf93

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.1MB

MD5
6a2ea4775c7ad239cfcc779c13882028

SHA1
e24a5252846c8335d467cfec426cf60a4e67e1ce

SHA256
557fb7a363e7aa12be5d0d398e3967f04bb701c2cbd9e30d4ccc1fdca6c9160a

SHA512
02ac0684bebdfd17c4ae0805781542a08c917cf3b9c5f53f6b5287ec618b1d47ad0591281517edb5ef24032a1e7a4754a85cbec1493b35dc3f9ee552ce1caf93

Download Submit
C:\progra~1\Common Files\Sogou.exe

Filesize
83KB

MD5
05c6cb96e97f3ee0b93ae3652bcb8fff

SHA1
8a58bef69e11ec7943289ccf58e320f10a76162c

SHA256
8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08

SHA512
5873da7d6b248d827b8b0602e36809a803ca4205f378fbfa03574000a1674eee1d8c2b6770526b699d7ef02abd033393e693f5f515e22328f4dc1f47356d55f4

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
83KB

MD5
05c6cb96e97f3ee0b93ae3652bcb8fff

SHA1
8a58bef69e11ec7943289ccf58e320f10a76162c

SHA256
8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08

SHA512
5873da7d6b248d827b8b0602e36809a803ca4205f378fbfa03574000a1674eee1d8c2b6770526b699d7ef02abd033393e693f5f515e22328f4dc1f47356d55f4

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
83KB

MD5
05c6cb96e97f3ee0b93ae3652bcb8fff

SHA1
8a58bef69e11ec7943289ccf58e320f10a76162c

SHA256
8e19a5742b7ba12a3a9c2ddd9a07eb4f77323c3713a59eb9fb72bd71f6412f08

SHA512
5873da7d6b248d827b8b0602e36809a803ca4205f378fbfa03574000a1674eee1d8c2b6770526b699d7ef02abd033393e693f5f515e22328f4dc1f47356d55f4

Download Submit
memory/544-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-72-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/700-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-66-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing