MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94
SHA3-384 hash: 88c3d77713d82266c68b84cac39429807cb3c60a134706348bd69da4d870cfc8490d2c2d11d1485cb4c9c61c6ab3e9a5
SHA1 hash: 61946ce1c173fd2c38f6a28d70eba451ca74405e
MD5 hash: d7bf1cb9cbf29854989c85aa856aaf68
humanhash: table-eight-neptune-april
File name:05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:11'878'400 bytes
First seen:2024-11-18 13:06:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56863d39bacdd7065e1ff3fcb167d6fd (1 x Gh0stRAT)
ssdeep 6144:N/gOgT8rYNVoZaIqjgiwD+pVf0EOMMIuh5/RjRJncVWbyysiX6cw1pRu5F:7gsYMgjgiwD+pVf0OODjRJn4os+6M5F
Threatray 10 similar samples on MalwareBazaar
TLSH T1F3C66C217780E432C26231314B47D3B5A6AEBC709E3597877BD02B3E9E745D29A3C74A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon c484be8e8ed4c860 (1 x Gh0stRAT)
Reporter JAMESWT_WT
Tags:103-45-64-91 exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94
Verdict:
Malicious activity
Analysis date:
2024-11-18 13:14:09 UTC
Tags:
xor-url generic
Link:
https://app.any.run/tasks/49eca823-b230-479b-b0eb-2b83dde8733b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673b3cfb80d21948b0327117
Tags:
obfuscated rootkit blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Modifying an executable file
Creating a file
Launching a process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto explorer fingerprint keylogger lolbin microsoft_visual_cc
Link:
https://www.filescan.io/uploads/673b3c11046353eaf576cb41/reports/ec6e126e-2d24-4de9-9f10-eb54a962ec01/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75608bf8-6ef1-428a-9c61-ebd26e108371
Result
Threat name:
GhostRat, Mimikatz, Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1557666
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557666 Sample: P6uSqL3TTL.exe Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 43 vod-all.ipv4.qiniu.com.volcgslb.com 2->43 45 sz-qiniu-v4.volcgtm.com 2->45 47 3 other IPs or domains 2->47 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 7 other signatures 2->57 8 P6uSqL3TTL.exe 1 22 2->8         started        signatures3 process4 dnsIp5 49 sz-qiniu-v4.volcgtm.com 183.204.211.252, 443, 49731, 49738 CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN China 8->49 35 C:\Users\user\AppData\Local\...\6[1].txt, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\5[1].txt, PE32 8->37 dropped 39 C:\Users\Public\Documents\MM\svchos.exe, PE32 8->39 dropped 41 C:\Users\Public\Documents\MM\libcef.dll, PE32 8->41 dropped 59 Found evasive API chain (may stop execution after checking mutex) 8->59 61 Found API chain indicative of debugger detection 8->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 8->63 13 cmd.exe 2 8->13         started        15 schtasks.exe 1 8->15         started        17 schtasks.exe 1 8->17         started        19 36 other processes 8->19 file6 signatures7 process8 process9 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 32 other processes 19->33
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2024-09-21 08:22:18 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=avujeafoutt4uqhn3xwladzfhvuwxeb2zh7d4ooxmdd2rpq256ka._file
Verdict:
malicious
Label(s):
hiddengh0st_rootkit
Create hunting rule
Similar samples:
05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94
Gh0stRAT
083b02e21246fa17ee9ac50eab39033abd920274259ad848df9eb412d4350ec7
Gh0stRAT
76d971db6f688ff4128af82783ee23adfd42330218dae3814dc5787aec1efdae
Gh0stRAT
7847b9a12505379a454cb4c1fdd6513cbf351782697fef94beb5f32b1ddf401c
Gh0stRAT
7b3863ca9121435fcc8f0c4bdd7dfe0592aa2be0ec8a09da2166a4c0d17e5632
Gh0stRAT
e0fa6d69b26f18cfdef3bd930d067eca476b3d2cb78d14bec88f05ae87d25b1e
Gh0stRAT
error
Gh0stRAT
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241118-qcm7xsskcq/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
emotet emotet
YARA:
n/a
Link:
https://app.threat.zone/submission/4ac42d89-5ca6-415d-8042-0c93ab022ff4
Unpacked files
SH256 hash:
05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94
MD5 hash:
d7bf1cb9cbf29854989c85aa856aaf68
SHA1 hash:
61946ce1c173fd2c38f6a28d70eba451ca74405e
Link:
https://www.unpac.me/results/e7b27eed-49ab-452e-85c1-e13782cacb34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05689200aea4e7ca40edddecb00f253d696b903ac9fe3e39d760c7a8be1aef94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for malicious import combination that ransomware mostly use(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextA
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAGetOverlappedResult
WS2_32.dll::WSARecv
WS2_32.dll::WSAResetEvent
WS2_32.dll::WSASend
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments