MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c60192be3d193617aadd61be5be552a5b24e46e50492b04eb889ed1f6fbd81d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c60192be3d193617aadd61be5be552a5b24e46e50492b04eb889ed1f6fbd81d
SHA3-384 hash: edccaf425aff6830a43ed03c6d48eab146739a167f0667b0b2203b5df1aea5c0faec4c3315728f6e20e6bda20f09dbb9
SHA1 hash: dafeecac1988de92d55095d5c7cbe6cd8ccda7e9
MD5 hash: 46fdc4b60fb66337835940cf1d1d91f0
humanhash: missouri-emma-seventeen-two
File name:点击安装{纸飞机}简体中文语言包.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:4'114'243 bytes
First seen:2022-05-16 12:58:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 98304:Q06FOznLo0+Dd6uxcQnTTgWz/Z0ipvsEcCG+gp8o5nZL:Q3F6n80W6uGQnTPXhk+gph5nh
Threatray 23 similar samples on MalwareBazaar
TLSH T1B7162303F792C0B1E4AA00B805664A724E76BE724B69D5E3ABD07D5EAD703D0F73254B
TrID 68.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
10.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.2% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon dc39333333353536 (1 x Gh0stRAT, 1 x MimiKatz)
Reporter obfusor
Tags:exe Gh0stRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
点击安装{纸飞机}简体中文语言包.exe
Verdict:
No threats detected
Analysis date:
2022-05-16 23:34:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/178cd237-d899-4323-86bd-d32804730f37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/271131/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18021/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware obfuscated overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62824a5ecc43366302ce083a/reports/9f8fea53-fe96-4c98-9214-a4742f42cd6a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1f20a5b-bc4a-4ae2-b992-d19e63c64da8
Result
Threat name:
GhostRat, Mimikatz, Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995118
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 627611 Sample: #U70b9#U51fb#U5b89#U88c5{#U... Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 65 Antivirus detection for dropped file 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 5 other signatures 2->71 9 #U70b9#U51fb#U5b89#U88c5{#U7eb8#U98de#U673a}#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305.exe 4 2->9         started        12 upx.exe 2->12         started        process3 file4 53 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 9->55 dropped 14 irsetup.exe 12 9->14         started        18 conhost.exe 12->18         started        process5 file6 57 C:\WindowsNT\WindowsNT.exe, PE32 14->57 dropped 85 Drops executables to the windows directory (C:\Windows) and starts them 14->85 20 WindowsNT.exe 2 1 14->20         started        25 conhost.exe 14->25         started        signatures7 process8 dnsIp9 63 180.215.203.34, 36060, 49765 BCPL-SGBGPNETGlobalASNSG Singapore 20->63 51 C:\ProgramData\data\upx.exe, PE32 20->51 dropped 73 Antivirus detection for dropped file 20->73 75 Detected unpacking (changes PE section rights) 20->75 77 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->77 79 5 other signatures 20->79 27 cmd.exe 2 20->27         started        30 upx.exe 3 20->30         started        33 upx.exe 3 20->33         started        35 12 other processes 20->35 file10 signatures11 process12 file13 81 Uses schtasks.exe or at.exe to add and modify task schedules 27->81 83 Uses netsh to modify the Windows network and firewall settings 27->83 37 conhost.exe 27->37         started        59 C:\ProgramData\Program\qbcore.dll, PE32 30->59 dropped 39 conhost.exe 30->39         started        61 C:\ProgramData\Program\iusb3mon.exe, PE32 33->61 dropped 41 conhost.exe 33->41         started        43 taskkill.exe 1 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        49 12 other processes 35->49 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c60192be3d193617aadd61be5be552a5b24e46e50492b04eb889ed1f6fbd81d/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-04-24 00:53:02 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e3e35413de5649d66d3ae80a50c0d441f906343b0261b755a8cb72cd3e5efa2
Gh0stRAT
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
Gh0stRAT
4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd
Gh0stRAT
725f81ee466371300ed43441bc35239089dd5283b8831193699b091fb2ad928c
Gh0stRAT
72df0397893e1ac981063fbcc0ad048543ba7143ba824f2bb0aa5dfb61538ce6
Gh0stRAT
86e69b16379a3aa41a658af413ea71364341da11e2f7d724dcefeac6eaa504ec
Gh0stRAT
94b06e33dfece175f9a41ecf6e1ae4aefbe23ec591e8302eeadf8bbe26f23354
Gh0stRAT
9aa78623c847c8344516bc815b9c055db994d9ee28c59a0102e1024b9706dbce
Gh0stRAT
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
Gh0stRAT
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
Gh0stRAT
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220516-p7g4qacdd8/
Unpacked files
SH256 hash:
e1bb0e92daa3a318c91af5da3f2cbb5e9259c380975be7d97fc310a2f409320e
MD5 hash:
e65a756180339ce63e6ff5e38ceab58c
SHA1 hash:
d24a5f4ea399a9ddb8090ac80bb3a6f256c988bf
Link:
https://www.unpac.me/results/c40a3912-2dbb-489c-921d-914ed4e8b3af/
SH256 hash:
1921cd22f1895c3b4026d3bc48304060dffde503652ae05b6487c4ce9c361c13
MD5 hash:
2c5b9088e194d48ac9c09287528c59c2
SHA1 hash:
1a540300f30761f71a999f3a4e440b2d68a13801
Link:
https://www.unpac.me/results/c40a3912-2dbb-489c-921d-914ed4e8b3af/
SH256 hash:
4d1b75481750c4a16471a56c0dfdd25995a9f7e40799ba461bd03aa6e618bb7d
MD5 hash:
95957edaec494f1b21e03ab079e84327
SHA1 hash:
a672bb320ebf81e598f1aa5badd3378310f0f017
Link:
https://www.unpac.me/results/c40a3912-2dbb-489c-921d-914ed4e8b3af/
SH256 hash:
1c60192be3d193617aadd61be5be552a5b24e46e50492b04eb889ed1f6fbd81d
MD5 hash:
46fdc4b60fb66337835940cf1d1d91f0
SHA1 hash:
dafeecac1988de92d55095d5c7cbe6cd8ccda7e9
Link:
https://www.unpac.me/results/c40a3912-2dbb-489c-921d-914ed4e8b3af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c60192be3d193617aadd61be5be552a5b24e46e50492b04eb889ed1f6fbd81d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/271131/

Comments