MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b
SHA3-384 hash: 655f4e27fb22810daf484b533c3c4f57c33c29ad69506194418c0878547e13019c9a93148a5f78816e0592daa7c65141
SHA1 hash: 88713e2c2583415c77d964b5657831a250d0fe88
MD5 hash: 4c9b9870f7cb54f94cab08354334ebf1
humanhash: spaghetti-mockingbird-autumn-mango
File name:װ.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:4'655'104 bytes
First seen:2024-06-12 18:07:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 37f075af0be292eecc79e56533b278b2 (2 x Gh0stRAT)
ssdeep 98304:1JeVusCcg53j1qLd9z/Wro8xSFfsGegFLOAkGkzdnEVomFHKnPs:/shG3Q+o8xSFEGegFLOyomFHKnPs
Threatray 15 similar samples on MalwareBazaar
TLSH T1C42659197E5C0C29CA52D332C544E1E79DE9EFE0952F83929988FB9D5030643FCA64BE
TrID 58.2% (.OCX) Windows ActiveX control (116521/4/18)
28.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
5.2% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.2% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 787c78fa87f7e6c4 (16 x Gh0stRAT, 11 x Pikabot, 9 x ManusCrypt)
Reporter sentotayam
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b.exe
Verdict:
Malicious activity
Analysis date:
2024-06-12 18:08:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a58e549f-01be-4c33-a721-c14074f8e2f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen28.31518.25603.17718.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6669e3f6a2bce47be7d8073bwin7simulatehigh_evasion
Tags:
Encryption Execution Network Static
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a service
Launching a service
Enabling autorun for a service
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bd5781e5-f1fc-4603-a8a4-bfb0611a6fcd
Result
Threat name:
GhostRat, Mimikatz
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1456168
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected GhostRat
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1456168 Sample: #U05f0.exe Startdate: 12/06/2024 Architecture: WINDOWS Score: 100 31 k1.laomaogege2.com 2->31 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for dropped file 2->45 47 15 other signatures 2->47 8 #U05f0.exe 1 2 2->8         started        12      .exe 2->12         started        14 svchost.exe 2->14         started        signatures3 process4 file5 27 C:\Windows\SysWOW64\      .exe, PE32 8->27 dropped 29 C:\Windows\SysWOW64\...\.exe:Zone.Identifier, ASCII 8->29 dropped 49 Found evasive API chain (may stop execution after checking mutex) 8->49 51 Self deletion via cmd or bat file 8->51 53 Contains functionality to automate explorer (e.g. start an application) 8->53 57 5 other signatures 8->57 16 cmd.exe 1 8->16         started        55 Drops executables to the windows directory (C:\Windows) and starts them 12->55 19      .exe 1 12->19         started        signatures6 process7 dnsIp8 37 Uses ping.exe to sleep 16->37 39 Uses ping.exe to check the status of other devices and networks 16->39 22 PING.EXE 1 16->22         started        25 conhost.exe 16->25         started        33 k1.laomaogege2.com 45.204.85.28, 10085, 49705, 49706 CTC-HKColleaguesTechnologyCOLIMITEDHK Seychelles 19->33 signatures9 process10 dnsIp11 35 127.0.0.1 unknown unknown 22->35
Score:
48%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2024-06-12 18:08:12 UTC
File Type:
PE (Exe)
Extracted files:
823
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bybc4qzy4fsq3avhdgyatrfkppk67jb6ojiy4a4vo56qxy36ybfq._file
Verdict:
malicious
Similar samples:
34c9f3d0e2c4772ca97819e9080dcb10673790f7b3778a598118dfd141fd14e2
Gh0stRAT
3ef14f469d7554de72cb7845067af1ae991ed2114d09ba6f4e913787f24c61c1
Gh0stRAT
5c2a6b11d876c5bad520ff9e79be44dfbb05ee6a6ff300e8427deab35085bef6
Gh0stRAT
aa1384efaa91d44664e62c9dd9a035553c8f36d229c7745389291846045dc060
Gh0stRAT
e1f3874c42cdd4e2c49477d7b2bc3ebd3bcd4e3a2cf882fa4d1ea09546c74f5d
Gh0stRAT
f9b9034411d8190fafa5592aacd427fbf49c21eeda708b4675aa72d71bc37f21
Gh0stRAT
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240612-wqv3ksvaqc/
Behaviour
Suspicious use of SetWindowsHookEx
Drops file in System32 directory
Unpacked files
SH256 hash:
db02bd03b54cd2fd7d525612ba1841d1eefde56cbb8bb5f364b659ef14067213
MD5 hash:
6abe001711095d8dcfbcdd6a509ed8bd
SHA1 hash:
e56e2f9c58fee2c8fd3233f8464fb52c7641ad4d
Detections:
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
check_installed_software
Create hunting rule
Mimikatz_Strings
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
MALWARE_Win_Zegost
Create hunting rule
Link:
https://www.unpac.me/results/4beb7e2e-8962-415b-a014-c3471343f6bd/
Parent samples :
0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b
d5b97d4be78dd6e6795c7e5376faeeaa58ac0b40629ea67291f223d42f19553a
5c86a4498bc05f88149ad40cc97ae4584a769840e8fb259a2bd2b3bf07d96919
0d5fd3da00f55402d3a66a8dd9f005b30d541cf2504073bc61c9ab260dccc4f0
0df117613af0902c70b911dfac2ee615177502036b2335490417aee11db9dfed
0271dce68b059c6996c2af61298a54b5dac89d9b4a76e4849e715ccaf7466dc9
d71bb15d343dd91690efb049eba30f28aecc17500bd2deb7204f48282e45576e
4cf92b27d387c9f3aaee9bc12de4eb22f2e8a6b6179affc4575a5d778cee173b
6d0d5b0d4b6a0c4a99f227d38bfe87bd10079034bbd41c90c34a8244aab55a84
481f80be12bf59f0f7a813410241e9101d68725e7e5e9dd0caede8709c5a75c9
a81700bf767bd7c4ee3ba71c954ad1bc37b89818a8953466bb7d858f8a4d26bd
b642e6abf52baf150f8f06464a4f43fe8c86b984a859a20ba096e2dc950e4bf6
aa9380ebe4adbb984507dacb82fc077026f2ebd0535af216a6569b04ce9d3efe
5e189d616ee4fe528bc165b7528b071619408d43bbfd9c82c045aeeb55276478
68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6
39de176c5876211820f2a565b740fdbb716cb0c9a27798732a9beeddef32b509
c9fc0c580e2cd2e376e7103422b581255da63295b94a96cd9121afa467a6583a
e341ad06bffac6637eceabcca1809cb2cb0378a4a02a0deb60c6be8536e97d81
6fddee12262f702de7ff59bf6a8178069576ae4ca57eae62d9d3c7cfb3814a53
8d2e9aa524bd78eb971e05a03741b92be58b52d9b7e4693896b2f3820d2fa683
0a6308c3c221fba00a3d53e944f515a00eb348187117828aa5ae59db36ee2a10
f980a395b1d3f5a2a4720e6cd57edaf5819105af9d9bb153e6a854dad0aa5659
9408a7c93e8115afe26a6a12e8bfce35d741cdc890ee2d08b7dba9eb6bacdde1
eb689bd8c8fe09a6e4e2e5b41cb3c4538c64bc5ef92938480646d10685db6e67
SH256 hash:
0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b
MD5 hash:
4c9b9870f7cb54f94cab08354334ebf1
SHA1 hash:
88713e2c2583415c77d964b5657831a250d0fe88
Link:
https://www.unpac.me/results/4beb7e2e-8962-415b-a014-c3471343f6bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
MULTIMEDIA_APICan Play MultimediaWINMM.dll::PlaySoundA
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
SHLWAPI.dll::PathRemoveFileSpecW
KERNEL32.dll::GetWindowsDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
ole32.dll::OleCreateMenuDescriptor
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA

Comments