gh0strat | e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

General

Target

e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
Size

132KB
MD5

c2aa0dbf079052d3fcb4ae0bf284a50b
SHA1

3ca7559c910ff4e1fc7bc19d43173bab24c98bf0
SHA256

e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03
SHA512

c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1
SSDEEP

3072:zTgDaJ/AiU6bGP5PBBkOdL07rRg2ABSEsEQ37XWys:XgDaJ/7CPNiNAg2eXWys

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

Processes:

resource	yara_rule
C:\Program Files\Common Files\Sogou.exe	family_gh0strat
C:\progra~1\Common Files\Sogou.exe	family_gh0strat
C:\Windows\SysWOW64\Sougou.exe	family_gh0strat
C:\Windows\SysWOW64\Sougou.exe	family_gh0strat
C:\Program Files\Common Files\Sogou.exe	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 3 IoCs

Processes:

Sogou.exeSougou.exeSogou.exe

pid process

4396 Sogou.exe
1152 Sougou.exe
1940 Sogou.exe

pid	process
4396	Sogou.exe
1152	Sougou.exe
1940	Sogou.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sougou.exee6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xiaoyu = "C:\\progra~1\\Common Files\\Sogou.exe"	Sougou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xiaoyu = "C:\\progra~1\\Common Files\\Sogou.exe"	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Sougou.exe

Drops file in System32 directory 1 IoCs

Processes:

Sogou.exe

description ioc process

File created C:\Windows\SysWOW64\Sougou.exe Sogou.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Sougou.exe	Sogou.exe

Drops file in Program Files directory 3 IoCs

Processes:

e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exeSougou.exe

description	ioc	process
File created	C:\progra~1\Common Files\Sogou.exe	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
File opened for modification	C:\progra~1\Common Files\Sogou.exe	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
File created	C:\progra~1\Common Files\Sogou.exe	Sougou.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exeSougou.exe

description	pid	process	target process
PID 1236 wrote to memory of 4396	1236	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe	Sogou.exe
PID 1236 wrote to memory of 4396	1236	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe	Sogou.exe
PID 1236 wrote to memory of 4396	1236	e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe	Sogou.exe
PID 1152 wrote to memory of 1940	1152	Sougou.exe	Sogou.exe
PID 1152 wrote to memory of 1940	1152	Sougou.exe	Sogou.exe
PID 1152 wrote to memory of 1940	1152	Sougou.exe	Sogou.exe

C:\Users\Admin\AppData\Local\Temp\e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe
"C:\Users\Admin\AppData\Local\Temp\e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1236

C:\progra~1\Common Files\Sogou.exe
"C:\progra~1\Common Files\Sogou.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4396

C:\Windows\SysWOW64\Sougou.exe
C:\Windows\SysWOW64\Sougou.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1152

C:\progra~1\Common Files\Sogou.exe
"C:\progra~1\Common Files\Sogou.exe"
2⤵
- Executes dropped EXE
PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Sogou.exe
Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
C:\Program Files\Common Files\Sogou.exe
Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
C:\Windows\SysWOW64\Sougou.exe
Filesize
27.1MB

MD5
da6d29baf5b75e8dd8375f88651b141c

SHA1
6dfccf1105c096cf0c096e08c1480461fc5ea620

SHA256
3276d98f4474fdd1d4869573ec7b976deb0503421f03a5b3c55e24799f97c4e4

SHA512
08f54e7801e44239ac5f0e52471f47a773ec703611e54354fe70b0e52dd2ca2398098f62306d1967501a824682bbfb1c4bac8b2b48375624737ba90072bbaf10

Download Submit
C:\Windows\SysWOW64\Sougou.exe
Filesize
27.1MB

MD5
da6d29baf5b75e8dd8375f88651b141c

SHA1
6dfccf1105c096cf0c096e08c1480461fc5ea620

SHA256
3276d98f4474fdd1d4869573ec7b976deb0503421f03a5b3c55e24799f97c4e4

SHA512
08f54e7801e44239ac5f0e52471f47a773ec703611e54354fe70b0e52dd2ca2398098f62306d1967501a824682bbfb1c4bac8b2b48375624737ba90072bbaf10

Download Submit
C:\progra~1\Common Files\Sogou.exe
Filesize
132KB

MD5
c2aa0dbf079052d3fcb4ae0bf284a50b

SHA1
3ca7559c910ff4e1fc7bc19d43173bab24c98bf0

SHA256
e6dd59153035a706919ad0f77708ec198153a5ec6266ba5c583133a9f6a20e03

SHA512
c23aa7e429ab3d90815f4f7ae5ac6e9fa087ba2779ce40c1ceefb470285642e063aa1b4663e68f9175a5f13dfc169511564c158bec45e769f4c4c68a4d74a0b1

Download Submit
memory/1940-137-0x0000000000000000-mapping.dmp

Download
memory/4396-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads