MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e71cb5a1c039483d63175a4f2200a6976ada786b6960e551bd4ef094950968e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e71cb5a1c039483d63175a4f2200a6976ada786b6960e551bd4ef094950968e
SHA3-384 hash: 72de7335dfec9945ee45dfcccc133bb4c7a2a44101378d4ad90db3089906b476da9d8cadb08917678ed44fe8fc99cb10
SHA1 hash: f750ee85986f8ded640a08c96438dc4f3f0f4a85
MD5 hash: 40c23b757f4d80c644ed36f01cbd8d7d
humanhash: undress-may-maine-cola
File name:Gouageahr_choure_aun.msi
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:55'798'784 bytes
First seen:2025-03-21 21:56:58 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:LYsbSILppWPaOcV+IAhHFJ8+ZtqxvUaIu8JzqBbQlgRztATufzs5c7wY0mB6cYFx:LYseIKiOcV+IADIIuFQWzsC7FvSeB4t
Threatray 2 similar samples on MalwareBazaar
TLSH T1E7C73321759EC232F66E15B15A29DA2BE53C7CE30B7008EB93E4F95A66304C25339F53
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:Gh0stRAT msi


Avatar
iamaachum
https://ymsk.ejfiwf.cn/llq/?sdclkid=b5-pA5fN15fiArD6AL2&bd_vid=10348690066710397994 =>https://ymsk.ejfiwf.cn/llq/Gouageahr_choure_aun.zip

C2: fs-im-kefu.7moor-fs1.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dde1edc8a812f780e7c928
Tags:
shellcode rootkit blic
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-vm cmd evasive expired-cert fingerprint fingerprint keylogger lolbin msiexec remote runonce wix
Link:
https://www.filescan.io/uploads/67dde0c3a175d31773446c15/reports/e746506a-b78a-4363-a307-052eabaec08e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0e71cb5a1c039483d63175a4f2200a6976ada786b6960e551bd4ef094950968e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0e71cb5a1c039483d63175a4f2200a6976ada786b6960e551bd4ef094950968e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1645578
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
85%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/0e71cb5a1c039483d63175a4f2200a6976ada786b6960e551bd4ef094950968e
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-21 16:45:15 UTC
File Type:
Binary (Archive)
Extracted files:
282
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzy4wwq4aokihvrrowspeiaknf3k3j4gw2la4vi32txqsskqs2ha._file
Verdict:
malicious
Label(s):
hiddengh0st
Create hunting rule
Similar samples:
4f5c281124d2e9ce43ebf84c3dbf19da88617e5cf58077db3ac3a042dc3c60df
Gh0stRAT
69c6abe301d9900e6be8dd48d08cb58bfe477b3235828a8fd5dd3d974e43101e
Gh0stRAT
error
Gh0stRAT
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250321-1tzmdsvlx8/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Gathering data
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e71cb5a1c03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AlternativesExample1
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Microsoft Software Installer (MSI) msi 0e71cb5a1c039483d63175a4f2200a6976ada786b6960e551bd4ef094950968e

(this sample)

  
Link
https://tria.ge/250321-1ph4va1scv/behavioral1
  
Delivery method
Distributed via web download

Comments