MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
SHA3-384 hash: b437f7733574f598f3f5bcdb90cb69613e4684e4868ed91166c6177cff7ec8bad9c9377a0c96b17c73104d3bba1d82b9
SHA1 hash: c5b5bbc10b0901923bf13690d9e575b41d86ac59
MD5 hash: c51e84d4d53678605a1cb5feb6436c84
humanhash: dakota-stream-island-massachusetts
File name:1.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:384'000 bytes
First seen:2024-06-12 11:28:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92cbf1b7939e726b820cc211fce00750 (5 x Gh0stRAT)
ssdeep 6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8NhY5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyxd
Threatray 67 similar samples on MalwareBazaar
TLSH T18D841210A4FE4C19C2C521700D2DAF8A6CBA50E52EB01C4FBEADFF765DF59D89028697
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter sentotayam
Tags:exe Gh0stRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054.exe
Verdict:
Malicious activity
Analysis date:
2024-06-12 11:31:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e9acb72-3c7d-4aa7-adae-79e7c92bafee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Farfli-9645812-0
Create hunting rule

Win.Trojan.Farfli-9645833-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66698662a2bce47be7d7fd48win10vpnfull_triage
Tags:
Execution Network Stealth Farfli
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file in the drivers directory
Creating a window
Loading a system driver
DNS request
Connection attempt
Launching a process
Creating a file
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc farfli microsoft_visual_cc packed zusy
Link:
https://www.filescan.io/uploads/666986860bf5978c0b0eab63/reports/00a11d12-0f3a-449f-97eb-116c4c0fb646/overview
Verdict:
Malicious
Labled as:
Trojan.Farfli
Link:
https://www.hybrid-analysis.com/sample/14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hidden Rootkit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e752bfe-200c-4f4b-a6bb-ae1a0bba0251
Result
Threat name:
GhostRat, Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455948
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected GhostRat
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455948 Sample: 1.exe Startdate: 12/06/2024 Architecture: WINDOWS Score: 100 40 time.windows.com 2->40 42 gwyk.sp168.tv 2->42 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 7 other signatures 2->54 8 mscorsvww.exe 2->8         started        11 1.exe 1 2 2->11         started        14 svchost.exe 2->14         started        16 8 other processes 2->16 signatures3 process4 file5 62 Antivirus detection for dropped file 8->62 64 Multi AV Scanner detection for dropped file 8->64 66 Machine Learning detection for dropped file 8->66 68 Drops executables to the windows directory (C:\Windows) and starts them 8->68 18 mscorsvww.exe 14 1 8->18         started        36 C:\Windows\SysWOW64\mscorsvww.exe, PE32 11->36 dropped 38 C:\Windows\...\mscorsvww.exe:Zone.Identifier, ASCII 11->38 dropped 70 Self deletion via cmd or bat file 11->70 23 cmd.exe 1 11->23         started        72 Changes security center settings (notifications, updates, antivirus, firewall) 14->72 25 MpCmdRun.exe 2 14->25         started        74 Query firmware table information (likely to detect VMs) 16->74 signatures6 process7 dnsIp8 44 gwyk.sp168.tv 156.241.4.189, 10092, 49700, 49701 SIA-HK-ASSkyExchangeInternetAccessHK Seychelles 18->44 34 C:\Windows\System32\drivers\QAssist.sys, PE32+ 18->34 dropped 56 Sample is not signed and drops a device driver 18->56 58 Uses ping.exe to sleep 23->58 60 Uses ping.exe to check the status of other devices and networks 23->60 27 PING.EXE 1 23->27         started        30 conhost.exe 23->30         started        32 conhost.exe 25->32         started        file9 signatures10 process11 dnsIp12 46 127.0.0.1 unknown unknown 27->46
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054/
Threat name:
Win32.Trojan.GhostRAT
Create hunting rule
Status:
Malicious
First seen:
2023-04-21 04:14:00 UTC
File Type:
PE (Exe)
AV detection:
33 of 36 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ctzydqgxlv2hpxslzcibf5urnxhr2nz4j25sg2clvjz53u566bka._file
Verdict:
malicious
Similar samples:
161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49
Gh0stRAT
38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84
Gh0stRAT
45b9b5a84f5275c59e017c2d3d685da689d39478dac5464b5acab97ef42073e0
Gh0stRAT
70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
Gh0stRAT
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
Gh0stRAT
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
Gh0stRAT
ad8bb6a26ffb2234855a89f214ac91cc98c8e53910a181f7cf9828062a734c03
Gh0stRAT
ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f
Gh0stRAT
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Gh0stRAT
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
Gh0stRAT
+ 57 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox persistence rat rootkit trojan upx
Link:
https://tria.ge/reports/240612-nlj6hssgpa/
Behaviour
Runs ping.exe
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Drivers directory
Sets service image path in registry
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b4d95d1b-5140-459a-8660-f14c2eedcf15
Unpacked files
SH256 hash:
c1693173b9c6738f4c2f377acf7a3804431410857f0881e6fcbf1ad804bb8999
MD5 hash:
c626161fde88be001c9a75c538bb8a4a
SHA1 hash:
9885b917b4d3aeb73d3257770815f82e45803fd3
Detections:
check_installed_software
Create hunting rule
Mimikatz_Strings
Create hunting rule
Hidden
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/fb4992e6-f034-4cbd-8896-223cfb3759f9/
Parent samples :
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
SH256 hash:
94d4843e465dbc3848e41eb8c35fd838918ab11c44f5c87138222e07a7e31c62
MD5 hash:
d773675a2d9daf5110251355ac75d1a1
SHA1 hash:
110eb24442fea5a674ffa5618984632a3bf620fc
Detections:
Hidden
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/fb4992e6-f034-4cbd-8896-223cfb3759f9/
Parent samples :
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
SH256 hash:
b0e4be5ab0106b3547bd4c997e9affd916e99c202e855cee5ff9aa87e9e37f0a
MD5 hash:
f42911de75d64d94e2c6e916c212a686
SHA1 hash:
057b9bf7518dfe895649d5de9a8f3b6a075c4554
Detections:
Hidden
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/fb4992e6-f034-4cbd-8896-223cfb3759f9/
Parent samples :
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
SH256 hash:
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
MD5 hash:
c51e84d4d53678605a1cb5feb6436c84
SHA1 hash:
c5b5bbc10b0901923bf13690d9e575b41d86ac59
Link:
https://www.unpac.me/results/fb4992e6-f034-4cbd-8896-223cfb3759f9/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/14f381c0d75d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA

Comments