MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc
SHA3-384 hash:	7b7b54af67330328d9c735f8a54cbc5ed96ab80c855b3cb002027c81d92448fdb7d726edc4c7c1bb73b48569c9a41590
SHA1 hash:	31c5039f7a2534f8a8b0915b62f3a6f744c1f0b0
MD5 hash:	e2b41d74c9b417aacaf1cf0e5b0df5db
humanhash:	green-thirteen-mango-colorado
File name:	优质客户精料话术框架xlsxp.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	520'192 bytes
First seen:	2023-03-19 08:15:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b9606ccae7f25235a598b6c63c59eea3 (1 x Gh0stRAT)
ssdeep	12288:hh9rd3EzdxmW/MW9W2tBKDeUlQBPoriT:z+xBLIHtQGiT
TLSH	T151B4BF127AE70815F7A66A741FD2A4FE4B22F4670B0B629F315C131E5B22E518C9237F
TrID	55.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 21.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.1% (.EXE) Win64 Executable (generic) (10523/12/4) 4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	54d79531e8e8f170 (1 x Gh0stRAT)
Reporter	Ma3649280267183
Tags:	exe Gh0stRAT

Intelligence

File Origin

# of uploads :

# of downloads :

242

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

优质客户精料话术框架xlsxp.exe

Verdict:

Malicious activity

Analysis date:

2023-03-19 08:28:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b0fccfd4-84d1-4ea8-8313-cb09eba9d837

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/375551/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Moving a recently created file

Searching for the window

Replacing files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

explorer.exe packed

Link:

https://www.filescan.io/uploads/6416c4c4c65d1ebf04c180eb/reports/60c21c43-f700-46be-9c18-d8ba818d84a3/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd449988-8b45-428f-9af7-2d847696bd9d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1196897

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc/

Threat name:

Win32.Trojan.Tedy

Status:

Malicious

First seen:

2023-03-19 08:16:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 22 (63.64%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bf5qmopkyxoorhne7br6gkglptnvtxo3s6duavwvorn2u2vfjh6a._file

Verdict:

unknown

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:gh0strat rat

Link:

https://tria.ge/reports/230319-j55t4sff54/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Modifies registry class

Modifies system certificate store

Script User-Agent

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Executes dropped EXE

Loads dropped DLL

Modifies RDP port number used by Windows

Gh0st RAT payload

Gh0strat

Malware Config

C2 Extraction:

27.124.41.180

Unpacked files

SH256 hash:

097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc

MD5 hash:

e2b41d74c9b417aacaf1cf0e5b0df5db

SHA1 hash:

31c5039f7a2534f8a8b0915b62f3a6f744c1f0b0

Link:

https://www.unpac.me/results/e44c5c59-e84a-4fcc-80df-edf0d1074866/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.08

Link:

https://yomi.yoroi.company/submissions/097b0639eac5dce89da4f863e328cb7cdb59dddb97874056d5745baa6aa549fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/375551/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample