MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49
SHA3-384 hash: 49eefbf804cf340a26c22f42ea73b1692e94d8bfaaed6767ae80a87ca4811fb56dcb881b31337e3863d85e305703d290
SHA1 hash: 2f47b13c8925d36e75632436738753f1db7b8001
MD5 hash: 91e2c066da101bdb8cbfae83d90a15cf
humanhash: sixteen-island-monkey-mockingbird
File name:91e2c066da101bdb8cbfae83d90a15cf
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:384'000 bytes
First seen:2021-06-24 08:43:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92cbf1b7939e726b820cc211fce00750 (5 x Gh0stRAT)
ssdeep 6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8NhE5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyld
Threatray 33 similar samples on MalwareBazaar
TLSH A9841210A0FE4C19C2C521700D2DAF8A6CBA50E52EB01C5FBEADFF765DF59D89028697
Reporter zbetcheckin
Tags:32 exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
91e2c066da101bdb8cbfae83d90a15cf
Verdict:
No threats detected
Analysis date:
2021-06-24 08:49:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d64b77a2-738b-4d97-86db-893b3aef3a09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167920/
Detection(s):
Win.Trojan.Farfli-9645812-0
Create hunting rule

Win.Trojan.Farfli-9645833-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Farfli
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22cb8f73-53af-422a-90fb-deaaa2e22667
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807290
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 03:41:05 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
Gh0stRAT
70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
Gh0stRAT
8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905
Gh0stRAT
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
Gh0stRAT
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
Gh0stRAT
ad8bb6a26ffb2234855a89f214ac91cc98c8e53910a181f7cf9828062a734c03
Gh0stRAT
ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f
Gh0stRAT
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Gh0stRAT
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
Gh0stRAT
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
Gh0stRAT
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210624-nxg2b948c6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Enumerates connected drives
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
Unpacked files
SH256 hash:
c1693173b9c6738f4c2f377acf7a3804431410857f0881e6fcbf1ad804bb8999
MD5 hash:
c626161fde88be001c9a75c538bb8a4a
SHA1 hash:
9885b917b4d3aeb73d3257770815f82e45803fd3
Link:
https://www.unpac.me/results/a1468f31-84c0-4f2b-8172-0bfd8bf17d8d/
Parent samples :
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
SH256 hash:
161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49
MD5 hash:
91e2c066da101bdb8cbfae83d90a15cf
SHA1 hash:
2f47b13c8925d36e75632436738753f1db7b8001
Link:
https://www.unpac.me/results/a1468f31-84c0-4f2b-8172-0bfd8bf17d8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394132/
Cape
Cape
https://www.capesandbox.com/analysis/167920/

Comments