MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 18

Intelligence 18 IOCs YARA 12 File information Comments

SHA256 hash:	c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6
SHA3-384 hash:	f04d5b76cff167324fae08e1460abfdc404d9f640d1dd45bf3f6f1f5ad719148573261d874f471fb813652a5aa909a6b
SHA1 hash:	68842768c9ae9deb1d1d7ed2b27846c392b47103
MD5 hash:	3809c59565787ee7398fe9222d4bd669
humanhash:	oranges-hot-december-jersey
File name:	MpMgSvc.jpg
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	3'338'240 bytes
First seen:	2025-02-21 21:36:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	30f2d038f1b85739a09af1775d3a9aeb (1 x Blackmoon, 1 x Gh0stRAT)
ssdeep	98304:g7VJRlDUJzwj3iIW874sAjT7sHSidp1zWnjN:8VJRBN7ojsHS2pI
TLSH	T154F533A9F1F3A0E3D872C5F83694FDD20008AD2320BB94154E8E5DC55576E9327E6BA3
TrID	41.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 25.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 10.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	035d94aaecdddb23 (1 x Blackmoon, 1 x Gh0stRAT)
Reporter	skocherhan
Tags:	exe Gh0stRAT

skocherhan

http://hook.ftp21.cc/MpMgSvc.jpg

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

phorpiex

ID:

File name:

Setup.ZIP

Verdict:

Malicious activity

Analysis date:

2024-07-05 00:22:13 UTC

Tags:

phorpiex zphp loader opendir telegram stealer vidar payload ta558 apt stegocampaign ransomware wacatac deathransom mpress upx meterpreter backdoor metasploit mimikatz tools evasion ip-check blackmoon shellcode cobaltstrike redline metastealer amadey botnet exfiltration stealc remcos rat remote netreactor

Link:

https://app.any.run/tasks/5756e020-04f6-4c33-95e0-64630b0b2fd8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Ascii_110_76_151_2-1

Win.Tool.Shadowbrokers-9775051-0

Win.Tool.Shadowbrokers-9800457-0

Win.Dropper.Tiggre-9845940-0

Win.Exploit.Ulise-9853106-0

Win.Trojan.Generic-9858245-0

Win.Trojan.Emotet-9858246-0

Win.Malware.Shadowbrokers-9885806-0

Win.Malware.Cxcd-9888060-0

Win.Malware.Cxcd-9888201-0

Win.Malware.Cxcd-9888693-0

Win.Malware.Shadowbrokers-9919377-0

Win.Tool.Shadowbrokers-9943477-0

Win.Tool.Shadowbrokers-9943479-0

Win.Tool.Shadowbrokers-10026173-0

Win.Malware.Cxce-10040847-0

Win.Tool.Shadowbrokers-10040848-0

Win.Exploit.EternalBlue-6320312-0

Win.Exploit.Eternal-6320394-0

Win.Exploit.EQGRP-6322722-0

Win.Exploit.Doublepulsar-7427328-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67b8f265a0fd713c335c43d8

Tags:

underscore blackmoon vmdetect

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypt equationdrug masquerade microsoft_visual_cc obfuscated packed packed packed packer_detected scar upx

Link:

https://www.filescan.io/uploads/67b8f20a6222db7f23d82e60/reports/8ba703c2-f67a-47eb-99c2-a55e3a8b1bd6/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

FuzzBunch

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/de3c6631-72b5-45b7-9099-3d5dd74f93b3

Result

Threat name:

DoublePulsar, ETERNALBLUE

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1621441

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Uses dynamic DNS services

Yara detected DoublePulsar

Yara detected ETERNALBLUE

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6/

Threat name:

Win32.Adware.Multiverze

Status:

Malicious

First seen:

2024-07-02 17:40:11 UTC

File Type:

PE (Exe)

Extracted files:

101

AV detection:

28 of 38 (73.68%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y5i5s4srzvtwatack23xt6v2zb6u5uwwi7ha3ayofilhbtjwc3da._file

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:blackmoon family:gh0strat banker discovery evasion persistence privilege_escalation rat trojan upx

Link:

https://tria.ge/reports/250221-1gjqea1jbs/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Drops file in Windows directory

Drops file in System32 directory

UPX packed file

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Boot or Logon Autostart Execution: Port Monitors

Downloads MZ/PE file

Creates a large amount of network flows

Blackmoon family

Blackmoon, KrBanker

Detect Blackmoon payload

Gh0st RAT payload

Gh0strat

Gh0strat family

Modifies Windows Defender DisableAntiSpyware settings

Verdict:

Malicious

Tags:

Win.Trojan.Ascii_110_76_151_2-1

YARA:

n/a

Link:

https://app.threat.zone/submission/c7eba867-9379-4930-a098-8e394a9bbcee

Unpacked files

SH256 hash:

c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

MD5 hash:

3809c59565787ee7398fe9222d4bd669

SHA1 hash:

68842768c9ae9deb1d1d7ed2b27846c392b47103

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

21cc3de3b5f98724261f8258240b06dc0d9a254e095a3ff67f888c52374ce9bc

MD5 hash:

e498fc392667527ce5d7d69294c0ed81

SHA1 hash:

8e5603295c7a3b7cad02ea04b305cc7c5f8bde4d

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

db0831e19a4e3a736ea7498dadc2d6702342f75fd8f7fbae1894ee2e9738c2b4

MD5 hash:

a539d27f33ef16e52430d3d2e92e9d5c

SHA1 hash:

f6d4f160705dc5a8a028baca75b2601574925ac5

Detections:

win_darkpulsar_auto

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Parent samples :

44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a
f2af31b74bfe1648b8c06ce5b3869e81ce8caafe4a265e007af4036af3448ae7
dc1e68fc5367bd44af8bec53aa4d33e9a50c1012be139eeb056f45b0b365fa1a
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SH256 hash:

0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887

MD5 hash:

3c2fe2dbdf09cfa869344fdb53307cb2

SHA1 hash:

b67a8475e6076a24066b7cb6b36d307244bb741f

Detections:

win_darkpulsar_auto

INDICATOR_TOOL_EXP_EternalBlue

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Parent samples :

44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a
f2af31b74bfe1648b8c06ce5b3869e81ce8caafe4a265e007af4036af3448ae7
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6
7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a

SH256 hash:

b556b5c077e38dcb65d21a707c19618d02e0a65ff3f9887323728ec078660cc3

MD5 hash:

f82fa69bfe0522163eb0cf8365497da2

SHA1 hash:

75be54839f3d01dc4755ddc319f23f287b1f9a7b

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

50f329e034db96ba254328cd1e0f588af6126c341ed92ddf4aeb96bc76835937

MD5 hash:

a05c7011ab464e6c353a057973f5a06e

SHA1 hash:

e819a4f985657b58d06b4f8ad483d8e9733e0c37

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

MD5 hash:

c24315b0585b852110977dacafe6c8c1

SHA1 hash:

be855cd1bfc1e1446a3390c693f29e2a3007c04e

Detections:

win_doublepulsar_auto

win_doublepulsar_w0

EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1

EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1

INDICATOR_TOOL_EXP_EternalBlue

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Parent samples :

SH256 hash:

85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5 hash:

8c80dd97c37525927c1e549cb59bcbf3

SHA1 hash:

4e80fa7d98c8e87facecdef0fc7de0d957d809e1

Detections:

INDICATOR_TOOL_EXP_EternalBlue

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Parent samples :

SH256 hash:

b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b

MD5 hash:

4420f8917dc320a78d2ef14136032f69

SHA1 hash:

06cd886586835b2bf0d25fba4c898b69e362ba6d

Detections:

win_doublepulsar_w0

EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1

EquationGroup_Toolset_Apr17_Eternalromance_2

EquationGroup_Toolset_Apr17_Eternalromance

INDICATOR_TOOL_EXP_EternalBlue

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Parent samples :

44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a
f2af31b74bfe1648b8c06ce5b3869e81ce8caafe4a265e007af4036af3448ae7
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

SH256 hash:

5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee

MD5 hash:

f01f09fe90d0f810c44dce4e94785227

SHA1 hash:

036f327417b7e1c6e0b91831440992972bc7802e

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3

MD5 hash:

9a5cec05e9c158cbc51cdc972693363d

SHA1 hash:

ca4d1bb44c64a85871944f3913ca6ccddfa2dc04

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

be8eb97d8171b8c91c6bc420346f7a6d2d2f76809a667ade03c990feffadaad5

MD5 hash:

5e8ecdc3e70e2ecb0893cbda2c18906f

SHA1 hash:

43f92d0e47b1371c0442c6cc8af3685c2119f82c

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362

MD5 hash:

f0881d5a7f75389deba3eff3f4df09ac

SHA1 hash:

8404f2776fa8f7f8eaffb7a1859c19b0817b147a

Detections:

win_darkpulsar_auto

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Parent samples :

SH256 hash:

0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f

MD5 hash:

838ceb02081ac27de43da56bec20fc76

SHA1 hash:

972ab587cdb63c8263eb977f10977fd7d27ecf7b

Detections:

win_darkpulsar_auto

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Parent samples :

SH256 hash:

b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa

MD5 hash:

3e89c56056e5525bf4d9e52b28fbbca7

SHA1 hash:

08f93ab25190a44c4e29bee5e8aacecc90dab80c

Detections:

win_darkpulsar_auto

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Parent samples :

SH256 hash:

f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a

MD5 hash:

6b7276e4aa7a1e50735d2f6923b40de4

SHA1 hash:

db8603ac6cac7eb3690f67af7b8d081aa9ce3075

Detections:

win_darkpulsar_auto

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Parent samples :

SH256 hash:

f247a48d3ecdbdf91fcd7a2d8728adaaf06149586adde62de7212c6de645ad58

MD5 hash:

cc55779eab28eb65877eec251b731d5b

SHA1 hash:

ae4ea94dd7a0acdcc358a09ab5e2b1847994ad91

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68

MD5 hash:

5b72ccfa122e403919a613785779af49

SHA1 hash:

f560ea0a109772be2b62c539b0bb67c46279abd1

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

aa8adf96fc5a7e249a6a487faaf0ed3e00c40259fdae11d4caf47a24a9d3aaed

MD5 hash:

e4ad4df4e41240587b4fe8bbcb32db15

SHA1 hash:

e8c98dbcd20d45bbbbf4994cc4c95dfcf504c690

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

5bec6b3bc6f8cbda50a8c5195a488cc82d2e00f18ec75640db31b2376a6db9f9

MD5 hash:

5b6a804db0c5733d331eb126048ca73b

SHA1 hash:

f18c5acae63457ad26565d663467fa5a7fbfbee4

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

SH256 hash:

877dfe1737257374f22309a67dd0996ef9f23384ef55d2c3573ffc72c9f91ace

MD5 hash:

11e6caf2b71468f41f5c29a2aaa78737

SHA1 hash:

bbef2e3c38fe01c1258a49b0f43ab83a45df16b9

Detections:

win_doublepulsar_w0

BlackmoonBanker

EquationGroup_Toolset_Apr17_Eternalromance

Regin_Related_Malware

INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

INDICATOR_TOOL_EXP_EternalBlue

MALWARE_Win_BlackMoon

Link:

https://www.unpac.me/results/13a71e62-abf0-4100-a681-3c558433fb1a/

Malware family:

Equation Group

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c751d97251cd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

exe c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2916093/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2932461/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::waveOutOpen
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample