MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04ac3bd28388262ae4c1b8e905796d09862da493112cbe7c9b2595c17a10ed55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04ac3bd28388262ae4c1b8e905796d09862da493112cbe7c9b2595c17a10ed55
SHA3-384 hash: 894aa7ea4b1771afc6552b5ba86a59e5bac7d48f6c701e1ded3858f94830745b7fbaf87fff1530b94be906d56d218678
SHA1 hash: 9d239d58f964c4598699d1859896ef5d6b0bed64
MD5 hash: d6f7c683a7a474c59ba9edea432aa106
humanhash: fish-juliet-india-east
File name:d6f7c683a7a474c59ba9edea432aa106.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:2'233'892 bytes
First seen:2023-01-06 09:39:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa973e943a4cd83909b15cbfc2c4eaf3 (3 x Gh0stRAT)
ssdeep 49152:FY2NQc/pRhZbjkFD3hOO2h6hXLIfv81GsvD/DX+y4onCYDoD5:FY2NbpRhMROLh6ZLZGsvD/D+donCYUV
Threatray 16'873 similar samples on MalwareBazaar
TLSH T14BA52389FD652139E6626670981239DCD9E41CE10A7CC9BA47F407DA3F711F9A83B2C3
TrID 32.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.7% (.SCR) Windows screen saver (13097/50/3)
11.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d6f7c683a7a474c59ba9edea432aa106.exe
Verdict:
No threats detected
Analysis date:
2023-01-06 09:41:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9844c495-2644-4b62-ac17-0f52aa30f5ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349918/
Detection(s):
Win.Packed.Deepscan-7131208-0
Create hunting rule

Win.Tool.Adduser-9966692-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a service
Launching a service
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger overlay packed shell32.dll virus zusy
Link:
https://www.filescan.io/uploads/63b7ec73fc9525ae8a44e765/reports/6ea5511c-81cf-4f59-bdf1-7e232effc42e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
JenkinsMiner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ece35c50-9a55-40b8-9380-9f8eeaa22973
Result
Threat name:
Redosdru
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1146397
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Tries to detect virtualization through RDTSC time measurements
Yara detected Redosdru
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 779127 Sample: tQzJcCgHpH.exe Startdate: 06/01/2023 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for dropped file 2->41 43 11 other signatures 2->43 7 tQzJcCgHpH.exe 3 2->7         started        11 Nwqepbw.exe 2->11         started        13 svchost.exe 2->13         started        15 6 other processes 2->15 process3 file4 27 C:\Program Files (x86)27wqepbw.exe, PE32 7->27 dropped 29 C:\...29wqepbw.exe:Zone.Identifier, ASCII 7->29 dropped 45 Detected unpacking (changes PE section rights) 7->45 47 Tries to detect virtualization through RDTSC time measurements 7->47 49 Hides threads from debuggers 7->49 51 Contains functionality to detect sleep reduction / modifications 7->51 17 Nwqepbw.exe 1 7->17         started        20 Nwqepbw.exe 1 15 11->20         started        53 Changes security center settings (notifications, updates, antivirus, firewall) 13->53 23 MpCmdRun.exe 1 13->23         started        55 Query firmware table information (likely to detect VMs) 15->55 signatures5 process6 dnsIp7 31 kkk.990is.com 140.210.18.18, 30017 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN China 20->31 33 r.pengyou.com 20->33 35 Hides threads from debuggers 20->35 25 conhost.exe 23->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04ac3bd28388262ae4c1b8e905796d09862da493112cbe7c9b2595c17a10ed55/
Threat name:
Win32.Backdoor.PcClient
Create hunting rule
Status:
Malicious
First seen:
2022-12-03 15:05:20 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aswdxuudratcvzgbxduqk6lnbgdc3jetcewl47e3ewk4c6qq5vkq._file
Verdict:
malicious
Similar samples:
10d1ea43692d0049837a3ed5fa0eae8f9b8b6139d29aeab14750acf0505ee4b9
Gh0stRAT
14096f9b01306019cb0f790402eab8be314a1332b6d9cdb0ccf35c56aed175b7
Gh0stRAT
18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679
Gh0stRAT
31fc16d69939d4b8b18df3d0781b38aedfb4520ad14befa70d64d4f72e27bee6
Gh0stRAT
8aa720fbb142a30d24e082eb17f74ee926a4c28e6f811195518c45c1317faa24
Gh0stRAT
d73ce718fea7075ec374fc846dfaf0b8154cc64b6aeed52faab938f69a7a76bc
Gh0stRAT
dc4e5d4d2be064137622960cae6b97cc708c81bf79cb3ad5abed78914cdc76a2
Gh0stRAT
+ 16'863 additional samples on MalwareBazaar
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat rat upx
Link:
https://tria.ge/reports/230106-lm7l4afe92/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Gh0st RAT payload
Gh0strat
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d5db60a1-e6b7-4dd2-bc86-7eaf340064ab
Unpacked files
SH256 hash:
04ac3bd28388262ae4c1b8e905796d09862da493112cbe7c9b2595c17a10ed55
MD5 hash:
d6f7c683a7a474c59ba9edea432aa106
SHA1 hash:
9d239d58f964c4598699d1859896ef5d6b0bed64
Link:
https://www.unpac.me/results/74c9f13c-05a1-42c9-a8f5-715acd6c8040/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/04ac3bd28388262ae4c1b8e905796d09862da493112cbe7c9b2595c17a10ed55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349918/

Comments