MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20f4b006007defc2e71a4a3bc6ffe0cdbb5ed6f34c4e15e95d85a7cb60a76286. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 12 File information Comments

SHA256 hash:	20f4b006007defc2e71a4a3bc6ffe0cdbb5ed6f34c4e15e95d85a7cb60a76286
SHA3-384 hash:	32cc577c436bce43f7b8bd8c8753ec1a34608f59e69c59ad0d8205638aa7ebc31a698cfced20efa0951a4fba8eaed284
SHA1 hash:	497a518db48f29f06ab48a11ccffa330bfaec463
MD5 hash:	a1d493d00b15cac7425ffd0de19d9463
humanhash:	delta-neptune-emma-nebraska
File name:	SecuriteInfo.com.DeepScan.Generic.KillMBR.A.0F62102B.27563.27241
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	30'379'867 bytes
First seen:	2023-03-31 20:37:18 UTC
Last seen:	2023-03-31 21:26:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	73ec795c6c369c6ce2c3b4c3f6477daa (12 x Gh0stRAT, 5 x MimiKatz, 1 x Redosdru)
ssdeep	786432:H0QWKpMBUjfIJ2phRLdIHuctALrZoocXt:UQWKGBU8w1Lsh+rRUt
Threatray	83 similar samples on MalwareBazaar
TLSH	T18867338A464A980CDB90A532F15F5B012F75017D0B0A981FF9FC34AA9379B87597F8F2
TrID	56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.1% (.EXE) Win32 Executable (generic) (4505/5/1) 3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	bcadaea686868633 (11 x Gh0stRAT)
Reporter	SecuriteInfoCom
Tags:	exe Gh0stRAT

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.DeepScan.Generic.KillMBR.A.0F62102B.27563.27241

Verdict:

Malicious activity

Analysis date:

2023-03-31 20:38:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6b452230-7954-4822-a13a-d0e662be90a3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/75916/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

farfli gh0st ghostrat overlay packed shell32.dll xpack

Link:

https://www.filescan.io/uploads/642744ac877a0f1a5afbf3a6/reports/91d6f36c-351d-475e-ab3c-e7d5ccf80df6/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/20f4b006007defc2e71a4a3bc6ffe0cdbb5ed6f34c4e15e95d85a7cb60a76286

Result

Verdict:

MALICIOUS

Result

Threat name:

GhostRat, Nitol

Detection:

malicious

Classification:

troj

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1206126

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected GhostRat

Yara detected Nitol

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2023-03-30 07:07:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ed2labqapxx4fzy2ji54n77azw5v5vxtjrhbl2k5qwt4wyfhmkda._file

Verdict:

malicious

Gh0stRAT

1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825

Gh0stRAT

4e90491d7bfcb50079a2fc9795b8ae9c4bd9ee5b26913b075ea248f953c6b910

Gh0stRAT

71a0f84fc97d3ea8ecdc9dc19e058fe994e3cecf826f3db462c4995d8ee6dacb

Gh0stRAT

7d147fa016e7218fcf60c76d2688a100e83fbb580f3c954d55e08d2c7b0b5a14

Gh0stRAT

a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf

Gh0stRAT

d46dbbb40bf11bda9b1aa74d9d2550a73ab0ae6008270c2c541153cd4974a3dd

Gh0stRAT

dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c

Gh0stRAT

+ 73 additional samples on MalwareBazaar

Result

Malware family:

purplefox

Score:

10/10

Tags:

family:gh0strat family:purplefox rat rootkit trojan

Link:

https://tria.ge/reports/230331-zep9qsdc35/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Enumerates connected drives

Detect PurpleFox Rootkit

Gh0st RAT payload

Gh0strat

PurpleFox

Malware Config

C2 Extraction:

190.92.242.47

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.28

Link:

https://yomi.yoroi.company/submissions/20f4b006007defc2e71a4a3bc6ffe0cdbb5ed6f34c4e15e95d85a7cb60a76286

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Hidden Create hunting rule
Author:	@bartblaze
Description:	Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:	https://github.com/JKornev/hidden

Rule name:	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess Create hunting rule
Author:	ditekSHen
Description:	Detects executables calling ClearMyTracksByProcess

Rule name:	INDICATOR_TOOL_RTK_HiddenRootKit Create hunting rule
Author:	ditekSHen
Description:	Detects the Hidden public rootkit

Rule name:	MALWARE_Win_FatalRAT Create hunting rule
Author:	ditekSHen
Description:	Detects FatalRAT

Rule name:	MALWARE_Win_PCRat Create hunting rule
Author:	ditekSHen
Description:	Detects PCRat / Gh0st

Rule name:	MALWARE_Win_Zegost Create hunting rule
Author:	ditekSHen
Description:	Detects Zegost

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

Rule name:	Windows_Trojan_Gh0st_ee6de6bc Create hunting rule
Author:	Elastic Security
Description:	Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

exe 20f4b006007defc2e71a4a3bc6ffe0cdbb5ed6f34c4e15e95d85a7cb60a76286

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2592805/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample