gh0strat | fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904

General

Target

fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe
Size

115KB
MD5

4b3acf55b1beb5ec4d663eb6177ab9d8
SHA1

2b014a238b55de2577f5fde75349820b688757f8
SHA256

fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904
SHA512

9bbb02c23d589a44c1dc8fd0a70ad724f32edc95013c36e7524cb79a8048451eda975a71f016520efe9b678d195fe4cae63658b7c538c61518dbedc29bafc370
SSDEEP

1536:cLXg1/zjn7lH2IqMa9n6cEXWoIfMA001GO+3MbfgJk65Nn5gzU75:SX87lBIn6HfyMA00sGgJkI35

Score

10^/10

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000005c50-57.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
2020	Sogou.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KRIS = "C:\\Windows\\Sogou.exe"	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\svchest.exe	Sogou.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Sogou.exe	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe
File opened for modification	C:\Windows\Sogou.exe	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
280	taskkill.exe
1980	taskkill.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	280	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 280	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	27
PID 1044 wrote to memory of 280	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	27
PID 1044 wrote to memory of 280	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	27
PID 1044 wrote to memory of 280	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	27
PID 1044 wrote to memory of 280	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	27
PID 1044 wrote to memory of 280	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	27
PID 1044 wrote to memory of 280	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	27
PID 1044 wrote to memory of 2020	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	29
PID 1044 wrote to memory of 2020	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	29
PID 1044 wrote to memory of 2020	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	29
PID 1044 wrote to memory of 2020	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	29
PID 1044 wrote to memory of 2020	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	29
PID 1044 wrote to memory of 2020	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	29
PID 1044 wrote to memory of 2020	1044	fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe	29
PID 2020 wrote to memory of 1980	2020	Sogou.exe	30
PID 2020 wrote to memory of 1980	2020	Sogou.exe	30
PID 2020 wrote to memory of 1980	2020	Sogou.exe	30
PID 2020 wrote to memory of 1980	2020	Sogou.exe	30

C:\Users\Admin\AppData\Local\Temp\fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe
"C:\Users\Admin\AppData\Local\Temp\fd829feece4aaa6b63311799dbb4b3086aa504b7378ec77d67a6f06de8dc2904.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ksafetray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:280
- C:\Windows\Sogou.exe
  C:\Windows\Sogou.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ksafetray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Sogou.exe

Filesize
60.1MB

MD5
68474f4df4ff886368e8aaeea84da5cb

SHA1
b1f7437f719f3877b49056a011e6a685d56f4886

SHA256
1f6e85a8918692b964167b3e0a6e1d213fbf1edfc3a6898ac7d192aa450d1ba5

SHA512
2ed2698c85c499d2045c8b2fcf175aef300660d212e05e1497919d1808c6e79c19109fd55220dcf3b4be7e04d50e2c6ac4e718b0e767b15c80d1e131a625225c

Download Submit
memory/1044-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing