gh0strat | e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
Size

132KB
MD5

c2aa0dbf079052d3fcb4ae0bf284a50b
SHA1

3ca7559c910ff4e1fc7bc19d43173bab24c98bf0
SHA256

e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03
SHA512

c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1
SSDEEP

3072:zTgDaJ/AiU6bGP5PBBkOdL07rRg2ABSEsEQ37XWys:XgDaJ/7CPNiNAg2eXWys

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 9 IoCs

Processes:

resource	yara_rule
\PROGRA~1\Common Files\Sogou.exe	family_gh0strat
\PROGRA~1\Common Files\Sogou.exe	family_gh0strat
C:\PROGRA~1\Common Files\Sogou.exe	family_gh0strat
C:\progra~1\Common Files\Sogou.exe	family_gh0strat
C:\Windows\SysWOW64\Sougou.exe	family_gh0strat
C:\Windows\SysWOW64\Sougou.exe	family_gh0strat
\PROGRA~1\Common Files\Sogou.exe	family_gh0strat
C:\PROGRA~1\Common Files\Sogou.exe	family_gh0strat
\PROGRA~1\Common Files\Sogou.exe	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 3 IoCs

Processes:

Sogou.exeSougou.exeSogou.exe

pid process

1536 Sogou.exe
1064 Sougou.exe
2040 Sogou.exe

pid	process
1536	Sogou.exe
1064	Sougou.exe
2040	Sogou.exe

Loads dropped DLL 4 IoCs

Processes:

e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exeSougou.exe

pid	process
768	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
768	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
1064	Sougou.exe
1064	Sougou.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exeSougou.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xiaoyu = "C:\\progra~1\\Common Files\\Sogou.exe"	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Sougou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xiaoyu = "C:\\progra~1\\Common Files\\Sogou.exe"	Sougou.exe

Drops file in System32 directory 1 IoCs

Processes:

Sogou.exe

description ioc process

File created C:\Windows\SysWOW64\Sougou.exe Sogou.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Sougou.exe	Sogou.exe

Drops file in Program Files directory 3 IoCs

Processes:

Sougou.exee6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe

description	ioc	process
File created	C:\progra~1\Common Files\Sogou.exe	Sougou.exe
File created	C:\progra~1\Common Files\Sogou.exe	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
File opened for modification	C:\progra~1\Common Files\Sogou.exe	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exeSougou.exe

description	pid	process	target process
PID 768 wrote to memory of 1536	768	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe	Sogou.exe
PID 768 wrote to memory of 1536	768	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe	Sogou.exe
PID 768 wrote to memory of 1536	768	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe	Sogou.exe
PID 768 wrote to memory of 1536	768	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe	Sogou.exe
PID 1064 wrote to memory of 2040	1064	Sougou.exe	Sogou.exe
PID 1064 wrote to memory of 2040	1064	Sougou.exe	Sogou.exe
PID 1064 wrote to memory of 2040	1064	Sougou.exe	Sogou.exe
PID 1064 wrote to memory of 2040	1064	Sougou.exe	Sogou.exe

C:\Users\Admin\AppData\Local\Temp\e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
"C:\Users\Admin\AppData\Local\Temp\e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:768
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1536

C:\Windows\SysWOW64\Sougou.exe
C:\Windows\SysWOW64\Sougou.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1064
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Common Files\Sogou.exe

Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
C:\PROGRA~1\Common Files\Sogou.exe

Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.1MB

MD5
da6d29baf5b75e8dd8375f88651b141c

SHA1
6dfccf1105c096cf0c096e08c1480461fc5ea620

SHA256
3276d98f4474fdd1d4869573ec7b976deb0503421f03a5b3c55e24799f97c4e4

SHA512
08f54e7801e44239ac5f0e52471f47a773ec703611e54354fe70b0e52dd2ca2398098f62306d1967501a824682bbfb1c4bac8b2b48375624737ba90072bbaf10

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.1MB

MD5
da6d29baf5b75e8dd8375f88651b141c

SHA1
6dfccf1105c096cf0c096e08c1480461fc5ea620

SHA256
3276d98f4474fdd1d4869573ec7b976deb0503421f03a5b3c55e24799f97c4e4

SHA512
08f54e7801e44239ac5f0e52471f47a773ec703611e54354fe70b0e52dd2ca2398098f62306d1967501a824682bbfb1c4bac8b2b48375624737ba90072bbaf10

Download Submit
C:\progra~1\Common Files\Sogou.exe

Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
memory/768-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1536-57-0x0000000000000000-mapping.dmp

Download
memory/2040-66-0x0000000000000000-mapping.dmp

Download