gh0strat | 392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

Analysis

max time kernel
144s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
Size

179KB
MD5

11875740398942ee2cc75d1f7805c1c1
SHA1

5bd449ee9f2b31fcd523ab868dc8fbd236d003c8
SHA256

392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626
SHA512

7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55
SSDEEP

3072:ESJUC/BLNNB7jGVMc7AlhKhAMIN9Z8scPCgJtt:ESJNNNrG58hm09JcCgB

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 18 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-56.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-58.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-60.dat	family_gh0strat
behavioral1/files/0x00090000000126f1-61.dat	family_gh0strat
behavioral1/files/0x00090000000126f1-63.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-65.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-64.dat	family_gh0strat
behavioral1/files/0x000c0000000054a8-67.dat	family_gh0strat
behavioral1/memory/1964-69-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral1/memory/1964-72-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral1/memory/896-71-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral1/memory/936-73-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral1/memory/936-74-0x00000000003C0000-0x00000000003EE000-memory.dmp	family_gh0strat
behavioral1/memory/1496-75-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral1/memory/936-76-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral1/memory/1496-77-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral1/memory/896-78-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 3 IoCs

pid	Process
896	Sogou.exe
936	Sougou.exe
1496	Sogou.exe

Loads dropped DLL 4 IoCs

pid	Process
1964	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
1964	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
936	Sougou.exe
936	Sougou.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Sougou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	Sougou.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sougou.exe	Sogou.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\progra~1\Common Files\Sogou.exe	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
File created	C:\progra~1\Common Files\Sogou.exe	Sougou.exe
File created	C:\progra~1\Common Files\Sogou.exe	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 896	1964	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe	28
PID 1964 wrote to memory of 896	1964	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe	28
PID 1964 wrote to memory of 896	1964	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe	28
PID 1964 wrote to memory of 896	1964	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe	28
PID 936 wrote to memory of 1496	936	Sougou.exe	30
PID 936 wrote to memory of 1496	936	Sougou.exe	30
PID 936 wrote to memory of 1496	936	Sougou.exe	30
PID 936 wrote to memory of 1496	936	Sougou.exe	30

C:\Users\Admin\AppData\Local\Temp\392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
"C:\Users\Admin\AppData\Local\Temp\392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1964
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:896

C:\Windows\SysWOW64\Sougou.exe
C:\Windows\SysWOW64\Sougou.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:936
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
C:\PROGRA~1\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.2MB

MD5
4aafef6466759a45cee69b857152f4f6

SHA1
00805afb06e0bd0b106bf04c006c3dc447345663

SHA256
2266ec07e2bd7b5562cc505ec47addf40ae0b0a8cf83118353da21a81bfabfff

SHA512
338432b80ea793acc08e9de32e7c6ac4557922f5e53b01f4a64b862ad1f1e7c532396c55f3ee8904da11fc65c8a08175b50eba73b6fe534f470d56bf17b8db4b

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.2MB

MD5
4aafef6466759a45cee69b857152f4f6

SHA1
00805afb06e0bd0b106bf04c006c3dc447345663

SHA256
2266ec07e2bd7b5562cc505ec47addf40ae0b0a8cf83118353da21a81bfabfff

SHA512
338432b80ea793acc08e9de32e7c6ac4557922f5e53b01f4a64b862ad1f1e7c532396c55f3ee8904da11fc65c8a08175b50eba73b6fe534f470d56bf17b8db4b

Download Submit
C:\progra~1\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
memory/896-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/896-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/936-74-0x00000000003C0000-0x00000000003EE000-memory.dmp

Filesize
184KB

Download
memory/936-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/936-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1496-75-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1496-77-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-70-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1964-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download