MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825
SHA3-384 hash: c12ea3313b8b615960b4075f1a5b51b7bdb55b81a550e189b899ceb8d201c1b673f9ca0eb643df697a3e64adeefecef1
SHA1 hash: d63eaf76bf47627c5c3d4937b6abe5929045f627
MD5 hash: bc6f4c15c378f362aaf7d37644735eae
humanhash: maine-texas-vermont-island
File name:bc6f4c15c378f362aaf7d37644735eae
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:541'877 bytes
First seen:2023-03-14 04:40:58 UTC
Last seen:2023-03-14 06:30:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a63e1f894c73ad61ac71902c55e3c351 (1 x Gh0stRAT)
ssdeep 12288:AiDDEEuqctaY5effnWQ7x7dJsPMR1F4fWDNo5F/oJBprSqYeJGDQ:AiDoTqctaY5effnW8RDsXOvvY6
Threatray 37 similar samples on MalwareBazaar
TLSH T153B423DAE29E8930D15FA57D59EBBA1396549DA52C73D32FAD0CF000483E42F9CEB640
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon bcadaea686868633 (11 x Gh0stRAT)
Reporter zbetcheckin
Tags:32 exe Gh0stRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc6f4c15c378f362aaf7d37644735eae
Verdict:
Malicious activity
Analysis date:
2023-03-14 04:43:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5836248e-df79-4068-921e-673e24506726

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Zegost
Create hunting rule
Link:
https://www.capesandbox.com/analysis/374129/
Detection(s):
PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Packer.Anti-28
Create hunting rule

PUA.Win.Packer.Anti-29
Create hunting rule

PUA.Win.Packer.Nspack-5
Create hunting rule

PUA.Win.Packer.NPack-4
Create hunting rule

PUA.Win.Packer.Nspack-34
Create hunting rule

PUA.Win.Packer.Nspack-21
Create hunting rule

PUA.Win.Packer.Nspack-13
Create hunting rule

PUA.Win.Packer.Nspack-25
Create hunting rule

PUA.Win.Packer.Nspack-22
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
farfli gh0st graybird hupigon packed shell32.dll virus
Link:
https://www.filescan.io/uploads/640ffae086958b4d2a27990d/reports/45042fdb-401d-43c9-9f12-babd9615d726/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64776b00-fd45-47b7-a012-dc713ecddef6
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1193019
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 08:37:54 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4yzjros67pakbpvuwtnegpsc7gvkjxppspyzuwrmoehc5sxfasq._file
Verdict:
malicious
Similar samples:
49fe889b5081ebb969a26d2eecab566c2ccad3972ee21513fe61994110267714
Gh0stRAT
d727f725ef0c3837013468f9675b6a0531658d8e60f01e5762e130cbabd665d0
Gh0stRAT
fde687287ef8cd7e6a6ce655355eaca2fba25fd6c22cc1e4040281f73205ba90
Gh0stRAT
+ 27 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox rat rootkit trojan
Link:
https://tria.ge/reports/230314-fa4rsadc82/
Behaviour
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
838e034e27aa37c05bc9df1ec553990ee64afbe6adffa03a6f3decb730a2caca
MD5 hash:
c05674d936917dc6989f44ffdba28a24
SHA1 hash:
6ddbb07cd66f86ed937a1c7938fae4ec6c354950
Link:
https://www.unpac.me/results/995be97a-a10a-42da-abed-da8010c37155/
Parent samples :
83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3
eaa840e393c8f8a3bdcd865ea6eff59f586e14bd9c3518d88098062056964281
40e261e7bffce05b06dc3d6feaa430d310ec8bde473e1136255965b8aa28f925
5e4f250d0488ca67cd13e2e8c50eba3f8b6da8b99095a561378eab18bcd4a4a0
68abafd00ce80bf87b40ac64359794d75bedc8799e787511e6bd20f6a88295d2
SH256 hash:
1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825
MD5 hash:
bc6f4c15c378f362aaf7d37644735eae
SHA1 hash:
d63eaf76bf47627c5c3d4937b6abe5929045f627
Link:
https://www.unpac.me/results/995be97a-a10a-42da-abed-da8010c37155/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Create hunting rule
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2569414/
Cape
Cape
https://www.capesandbox.com/analysis/374129/

Comments


Avatar
zbet commented on 2023-03-14 04:41:07 UTC

url : hxxp://124.220.35.63/103.exe