MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1229e269392fe04e35bc34789d8334a61c5f8051d6bae6a433b87f61f4dc08cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 2 File information Comments

SHA256 hash:	1229e269392fe04e35bc34789d8334a61c5f8051d6bae6a433b87f61f4dc08cc
SHA3-384 hash:	2d9cf66b4aedc1a34b3195e83b8f01d6ff6ed13c34ad769acaccd68f5b264d2a406d594f007f235895fc69d374a502fa
SHA1 hash:	5a9e78e275c69f5e79b428da903c83bd1070cf9a
MD5 hash:	03418970a30083b0c882a0baac7a7567
humanhash:	arizona-floor-romeo-lima
File name:	1229E269392FE04E35BC34789D8334A61C5F8051D6BAE.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	196'608 bytes
First seen:	2022-04-04 05:11:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5c9c33b53ae59fc197827326e2f1f8b9 (1 x Gh0stRAT)
ssdeep	3072:nJb0acfuJCVIbcpiUHnVMDgeYJRRv3Vkg76pc1q2At7+eOpSelbQN5PYem9G1n94:qac9VKO6EhRv3KeF2vcXbQN5PYd9G190
Threatray	5 similar samples on MalwareBazaar
TLSH	T187148D227346DB08F9A2A1308669FB114F52D3E5534470DEE680C6F89D26EEBC2F45DB
File icon (PE):
dhash icon	c9d5c4cda6a8cec6 (2 x Gh0stRAT)
Reporter	abuse_ch
Tags:	exe Gh0stRAT

abuse_ch

Gh0stRAT C2:
183.236.2.18:8001

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
183.236.2.18:8001	https://threatfox.abuse.ch/ioc/488453/

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/260314/

Detection(s):

Win.Trojan.Zegost-9834085-0

Win.Trojan.Zegost-9837526-0

MiscreantPunch.SingleXOR.EXE.53.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a service

Creating a file in the %temp% directory

Moving a file to the Program Files subdirectory

Сreating synchronization primitives

Launching a service

DNS request

Enabling autorun for a service

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/12469/overview

Behaviour

MalwareBazaar

SystemUptime

EnumerateProcesses

CallSleep

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

backdoor greyware hupigon obfuscated pcclient

Link:

https://www.filescan.io/uploads/624a7e23aa7e43c6a6b4ae37/reports/5caa29bb-8383-4821-88b4-f3fe645a00ae/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Gh0st RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27807e90-d359-4d80-bbab-3be61ee88468

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1229e269392fe04e35bc34789d8334a61c5f8051d6bae6a433b87f61f4dc08cc/

Threat name:

Win32.Infostealer.Magania

Status:

Malicious

First seen:

2011-07-12 22:02:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ciu6e2jzf7qe4nn4gr4j3azuuyof7acr225onjbtxb7wd5g4bdga._file

Verdict:

malicious

Gh0stRAT

3c536c1558eba42c1967d9732bf9afd25c9c3c28bfbdc0028b945e88f1141d90

Gh0stRAT

4b4c466ee72c0d623339564402175b47d68189d129bc9c3e61d0a8a504265acc

Gh0stRAT

d0f12bda2588a792791f7be73d708851ac33cfed631c45172d858ffd090cbb18

Gh0stRAT

e046697b4102be8e3ad4b6e04524e7248d86b58f6d9f4884357fd33768878fbd

Gh0stRAT

Result

Malware family:

n/a

Score:

8/10

Tags:

bootkit persistence

Link:

https://tria.ge/reports/220404-fvt33sfdap/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Drops file in System32 directory

Writes to the Master Boot Record (MBR)

Deletes itself

Loads dropped DLL

Sets DLL path for service in the registry

Sets service image path in registry

Unpacked files

SH256 hash:

5b4382637f4a7be1fe18df01569ba8336bd6b09e59cfcefcd002451dce906286

MD5 hash:

c051040cfa497201d2b59dfe91806467

SHA1 hash:

7d1e106a1dbf2f19cc7b5b9c6d201f6fd612cbd0

Link:

https://www.unpac.me/results/53871e88-f50f-40cd-9f7f-365752ce51d0/

SH256 hash:

1229e269392fe04e35bc34789d8334a61c5f8051d6bae6a433b87f61f4dc08cc

MD5 hash:

03418970a30083b0c882a0baac7a7567

SHA1 hash:

5a9e78e275c69f5e79b428da903c83bd1070cf9a

Link:

https://www.unpac.me/results/53871e88-f50f-40cd-9f7f-365752ce51d0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/1229e269392fe04e35bc34789d8334a61c5f8051d6bae6a433b87f61f4dc08cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Backdoor_Redosdru_Jun17 Create hunting rule
Author:	Florian Roth
Description:	Detects malware Redosdru - file systemHome.exe
Reference:	https://goo.gl/OOB3mH

Rule name:	Backdoor_Redosdru_Jun17_RID2FD1 Create hunting rule
Author:	Florian Roth
Description:	Detects malware Redosdru - file systemHome.exe
Reference:	https://goo.gl/OOB3mH

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260314/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample