MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43f2dc3cf7c1a7deb7093ee23ac547e339772c3efca764d136b1d42542c34b0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43f2dc3cf7c1a7deb7093ee23ac547e339772c3efca764d136b1d42542c34b0f
SHA3-384 hash: f1f620ba5858e5927447445875833197eced6b3e051214e178c769fc945128a1364681c255a96f215426675cf244f919
SHA1 hash: c7acffc2d4e01a59d6a8ae6db4b09f963869b2cc
MD5 hash: 33416b60fc97e9e72d8146f7b4f32328
humanhash: california-echo-potato-princess
File name:33416b60fc97e9e72d8146f7b4f32328
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:544'768 bytes
First seen:2021-02-09 15:01:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1fd253bae4332505c298af514c6340d2 (2 x Gh0stRAT)
ssdeep 6144:R6AXtAOfFELJlZn9ocihaFcRfp1pjO4bi+G+bHq3aZROrNu9lM7Wm:R6ZOfFkxJFc1XxVi0bKXu7Dm
Threatray 780 similar samples on MalwareBazaar
TLSH 2CC49D52F7C0452AC916113E4F825B295EF2EC764BE14CC3BB1C7A9C9538BE89E7E205
Reporter JAMESWT_WT
Tags:Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
33416b60fc97e9e72d8146f7b4f32328
Verdict:
Malicious activity
Analysis date:
2020-10-13 15:56:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c360863-bbfe-4341-8d3f-85db3e1a52d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116206/
Detection(s):
SecuriteInfo.com.BackDoor.Generic_r.PVF.32524.17836.UNOFFICIAL
Create hunting rule

Win.Trojan.Zegost-9828868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/603193
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43f2dc3cf7c1a7deb7093ee23ac547e339772c3efca764d136b1d42542c34b0f/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2017-11-21 12:17:17 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
34 of 46 (73.91%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
Gh0stRAT
15198db6364e7676c89fd343b0ae8d44b216c5da6ea8d627e525e08d5889ddf2
Gh0stRAT
27773e11c6819e9fbbcf0d547fbf2cca3da04918d04a3dd9cab82f36a28c8252
Gh0stRAT
3774be9b40ea80453e8d666d1fb4f7e43758b307d1631735ae0b9a9f1eb6f8f5
Gh0stRAT
5439d13bbab7a6469eea772dbec45e2b08553462f2664e1e48cfee852b6525b2
Gh0stRAT
6d2c4017b8f44df58ac0c40581c211fcf975f6515e77bd67dc50f03243021a8a
Gh0stRAT
8f08385add724e16ab49fddc0a9dc3064a54ad5241a76a63115ea5042524bd2d
Gh0stRAT
a848fa16033d9227dc16aae2e3a96b13c8f53f9c898dd316ef541ac86ec22b1d
Gh0stRAT
c5cd43a8d9f8bc594501ff81ba10f519ce321a0699f2de951dc7e8e19936775e
Gh0stRAT
d1597e82baaf9f9d66a8f577c8a656d17192c7a5dbc80ced5c89046b7592dce1
Gh0stRAT
+ 770 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210209-nq19ax38dn/
Behaviour
Modifies system certificate store
Unpacked files
SH256 hash:
aeeb21360a426bea27c4372c8cff7691726f12a4a8767581272302e254114a79
MD5 hash:
c3123d35477c1a89dd6731a66697e303
SHA1 hash:
e7c6ca9beb2a74fb178f3857e98dbb204f8e0508
Link:
https://www.unpac.me/results/6bf27da0-3742-4688-8f8b-47343c06a1d5/
SH256 hash:
43f2dc3cf7c1a7deb7093ee23ac547e339772c3efca764d136b1d42542c34b0f
MD5 hash:
33416b60fc97e9e72d8146f7b4f32328
SHA1 hash:
c7acffc2d4e01a59d6a8ae6db4b09f963869b2cc
Link:
https://www.unpac.me/results/6bf27da0-3742-4688-8f8b-47343c06a1d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43f2dc3cf7c1a7deb7093ee23ac547e339772c3efca764d136b1d42542c34b0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GhostDragon_Gh0stRAT
Create hunting rule
Author:Florian Roth
Description:Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:https://blog.cylance.com/the-ghost-dragon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/116206/

Comments