gh0strat | 392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

General

Target

392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
Size

179KB
MD5

11875740398942ee2cc75d1f7805c1c1
SHA1

5bd449ee9f2b31fcd523ab868dc8fbd236d003c8
SHA256

392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626
SHA512

7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55
SSDEEP

3072:ESJUC/BLNNB7jGVMc7AlhKhAMIN9Z8scPCgJtt:ESJNNNrG58hm09JcCgB

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 13 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022df1-133.dat	family_gh0strat
behavioral2/files/0x0008000000022df1-134.dat	family_gh0strat
behavioral2/memory/1936-135-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral2/memory/224-136-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000022dfa-137.dat	family_gh0strat
behavioral2/files/0x0007000000022dfa-138.dat	family_gh0strat
behavioral2/files/0x0008000000022df1-140.dat	family_gh0strat
behavioral2/memory/224-141-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral2/memory/1936-142-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral2/memory/2916-143-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral2/memory/3720-144-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral2/memory/2916-145-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat
behavioral2/memory/3720-146-0x0000000000400000-0x000000000042E000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 3 IoCs

pid	Process
224	Sogou.exe
2916	Sougou.exe
3720	Sogou.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	Sougou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Sougou.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sougou.exe	Sogou.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\progra~1\Common Files\Sogou.exe	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
File opened for modification	C:\progra~1\Common Files\Sogou.exe	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
File created	C:\progra~1\Common Files\Sogou.exe	Sougou.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3800	3720	WerFault.exe	84

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 224	1936	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe	82
PID 1936 wrote to memory of 224	1936	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe	82
PID 1936 wrote to memory of 224	1936	392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe	82
PID 2916 wrote to memory of 3720	2916	Sougou.exe	84
PID 2916 wrote to memory of 3720	2916	Sougou.exe	84
PID 2916 wrote to memory of 3720	2916	Sougou.exe	84

C:\Users\Admin\AppData\Local\Temp\392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe
"C:\Users\Admin\AppData\Local\Temp\392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1936
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:224

C:\Windows\SysWOW64\Sougou.exe
C:\Windows\SysWOW64\Sougou.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2916
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  PID:3720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 684
    3⤵
    - Program crash
    PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3720 -ip 3720
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
C:\Program Files\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.2MB

MD5
4aafef6466759a45cee69b857152f4f6

SHA1
00805afb06e0bd0b106bf04c006c3dc447345663

SHA256
2266ec07e2bd7b5562cc505ec47addf40ae0b0a8cf83118353da21a81bfabfff

SHA512
338432b80ea793acc08e9de32e7c6ac4557922f5e53b01f4a64b862ad1f1e7c532396c55f3ee8904da11fc65c8a08175b50eba73b6fe534f470d56bf17b8db4b

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.2MB

MD5
4aafef6466759a45cee69b857152f4f6

SHA1
00805afb06e0bd0b106bf04c006c3dc447345663

SHA256
2266ec07e2bd7b5562cc505ec47addf40ae0b0a8cf83118353da21a81bfabfff

SHA512
338432b80ea793acc08e9de32e7c6ac4557922f5e53b01f4a64b862ad1f1e7c532396c55f3ee8904da11fc65c8a08175b50eba73b6fe534f470d56bf17b8db4b

Download Submit
C:\progra~1\Common Files\Sogou.exe

Filesize
179KB

MD5
11875740398942ee2cc75d1f7805c1c1

SHA1
5bd449ee9f2b31fcd523ab868dc8fbd236d003c8

SHA256
392a8f23af3997bb13e6d84df2b93c34e20712803a7da01b9a093844cc293626

SHA512
7b27ba48d8104df63cf0b49df820ea88b24f2c54c59a8777f379ec449b676b61e347b52fce0f0f50b3d4629eabecb8675e98f5807ba4380a962b6bb44f072d55

Download Submit
memory/224-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/224-136-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1936-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1936-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2916-143-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2916-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3720-144-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3720-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing