MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18158134da1bb476cc580a19d2e61e1cc378452ad527022169040344abcb22a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stCringe

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	18158134da1bb476cc580a19d2e61e1cc378452ad527022169040344abcb22a3
SHA3-384 hash:	4e9776e9368b8e6ba83c89f1e4f4add7487e0c0ac4b9124e430dc9abe1077be226ec3573fea41c1623e24751ef381e07
SHA1 hash:	b777eab56216cf7b183692db3136b9472782e216
MD5 hash:	3a5b7d5f6a117df62b659581127ff18c
humanhash:	robin-pluto-angel-snake
File name:	3a5b7d5f6a117df62b659581127ff18c.exe
Download:	download sample
Signature	Gh0stCringe Create hunting rule
File size:	63'488 bytes
First seen:	2021-10-03 07:30:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d9c7208ff3022bb34870c7ddeb406eb1 (5 x Gh0stCringe, 1 x Ramnit, 1 x Gh0stRAT)
ssdeep	768:jbz3IhpglwpDEq2m0j6Tf8V4Ie7ZZa3R1fb961vNPrl7sJnCJ0uZN:n4+wpDElm2IAUZZo1fbs1RVsZCJ0Y
Threatray	16 similar samples on MalwareBazaar
TLSH	T12C53070DE69EF0E3FB517530260E66328EBDB82C853C951F2E56694D1CF5B80A4AD372
Reporter	abuse_ch
Tags:	exe Gh0stCringe

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3a5b7d5f6a117df62b659581127ff18c.exe

Verdict:

No threats detected

Analysis date:

2021-10-03 08:12:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2d834bb7-b636-4450-8053-1378fd6be55a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194311/

Detection(s):

Win.Trojan.Mikey-9769164-0

Win.Malware.Farfli-9832713-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the system32 directory

Creating a service

Launching a service

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Enabling autorun for a service

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/615c2ebab95458900cdc6390/reports/0d6932b2-78b4-4ee8-872c-b663edf7b999/overview

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a0a16a60-b13a-4743-b19e-6c42d59edad8

Result

Threat name:

Gh0stCringe

Detection:

malicious

Classification:

troj

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/863367

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Gh0stCringe

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18158134da1bb476cc580a19d2e61e1cc378452ad527022169040344abcb22a3/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2021-10-02 17:51:00 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Verdict:

malicious

Gh0stCringe

4853453ba12dde157cec10692eb874f34f333a6ccfb0782bf36ba2c3a57713dc

Gh0stCringe

4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9

Gh0stCringe

727bc43e3d9cdf3e79c2232cf3f647bdf94ad2012c31403434c17e5bbeb3c339

Gh0stCringe

7e6b769afc67e5e76904920f69a8d31475576ee4dc3411379efa665de38f7697

Gh0stCringe

a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d

Gh0stCringe

acaed16a37962b29231a2b0842b616000656a12ff66ce41830ca855a207fc5dc

Gh0stCringe

c973c31f8af3d15abb5963e2764f534e5263828320e9c15e57c953392c32ce65

Gh0stCringe

e7c3f20e293112d02c667e098467572371107a5316ffdf4434dea2e490434771

Gh0stCringe

+ 6 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/211003-jcdvxsfcal/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Loads dropped DLL

Executes dropped EXE

Sets DLL path for service in the registry

Unpacked files

SH256 hash:

18158134da1bb476cc580a19d2e61e1cc378452ad527022169040344abcb22a3

MD5 hash:

3a5b7d5f6a117df62b659581127ff18c

SHA1 hash:

b777eab56216cf7b183692db3136b9472782e216

Link:

https://www.unpac.me/results/9402818f-fa01-42ac-b088-3d3f9100e121/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/18158134da1b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/18158134da1bb476cc580a19d2e61e1cc378452ad527022169040344abcb22a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stCringe

exe 18158134da1bb476cc580a19d2e61e1cc378452ad527022169040344abcb22a3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1650416/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/194311/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample