MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 11 File information Comments

SHA256 hash:	21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d
SHA3-384 hash:	250a814a0105ac6333e2a9ad291f265296b779b9f509fcd3ed34903b2c8728d5013400ef56116086c3b524dbe70ae371
SHA1 hash:	3c5d4d216dd1870f8c36c61624d980bd4311123c
MD5 hash:	5cd3db9a24801fb7d01b7e589494c60f
humanhash:	maine-lion-texas-video
File name:	5CD3DB9A24801FB7D01B7E589494C60F.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	462'848 bytes
First seen:	2024-03-23 04:20:18 UTC
Last seen:	2024-03-23 06:27:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	77eef4e097d1e4bdf8b3e7692e2593aa (5 x Gh0stRAT)
ssdeep	6144:YDBJuB+BuOQMfIQmslc5wUtQIb5ER4YXS96lQvaRcfMwWv8:CrK+BiM635XtDEvXS96Ge9wWv8
TLSH	T1D2A46B136E07ED4EE386133129D97CE0111DBF5ABA65017FE2B83E9B1C34BB109AB495
TrID	31.0% (.EXE) InstallShield setup (43053/19/16) 22.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.SCR) Windows screen saver (13097/50/3) 7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	3c7462236727673b (2 x Gh0stRAT)
Reporter	abuse_ch
Tags:	exe Gh0stRAT

abuse_ch

Gh0stRAT C2:
216.83.40.187:7777

Intelligence

File Origin

# of uploads :

# of downloads :

461

Origin country :

Vendor Threat Intelligence

Malware family:

gh0st

ID:

File name:

21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d.exe

Verdict:

Malicious activity

Analysis date:

2024-03-23 04:21:23 UTC

Tags:

remote rat gh0st

Link:

https://app.any.run/tasks/9de88006-1ca6-4673-bf62-84df0c417f9f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Searching for the window

Sending a custom TCP request

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Sending an HTTP GET request

Forced system process termination

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

farfli keylogger lolbin packed shell32 virus

Link:

https://www.filescan.io/uploads/65fe58afe267e4ac508609fd/reports/8c6063fc-775a-4525-9eb3-ccd0fb1f5d3a/overview

Verdict:

Malicious

Labled as:

DeepScan:Generic.KillMBR.A

Link:

https://www.hybrid-analysis.com/sample/21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2f587bd8-ae33-42a4-9892-591cbeb4d348

Result

Threat name:

GhostRat, Mimikatz, Nitol

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1414371

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to detect sleep reduction / modifications

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to infect the boot sector

Contains functionality to modify windows services which are used for security filtering and protection

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Found stalling execution ending in API Sleep call

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sigma detected: Potentially Suspicious Malware Callback Communication

Snort IDS alert for network traffic

Yara detected GhostRat

Yara detected Mimikatz

Yara detected Nitol

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d/

Threat name:

Win32.Trojan.FlyAgent

Status:

Malicious

First seen:

2024-03-19 12:44:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=egrjgm6rev7crzyxot4tt4cwtaylzxrts6ckwbg6bjpyxe33dmoq._file

Verdict:

malicious

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:gh0strat rat

Link:

https://tria.ge/reports/240323-eymyhaga7v/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates connected drives

Gh0st RAT payload

Gh0strat

Unpacked files

SH256 hash:

31913b545d5634caaa1a8c8f6631fc795bdb063226360edd959d0e609bbfb270

MD5 hash:

2a21c07fbd78ce1f06c1a5f4f9696aa2

SHA1 hash:

ad4b952f5fa8e6b5a792d9d864da63b5bd5bbfc0

Detections:

INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess

check_installed_software

Mimikatz_Strings

GhostDragon_Gh0stRAT

MALWARE_Win_PCRat

MALWARE_Win_Zegost

potential_termserv_dll_replacement

Link:

https://www.unpac.me/results/bdaef0e6-80db-4af1-88c8-4a03f0bc38c5/

Parent samples :

21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d
ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6

SH256 hash:

ad06d366d40804aec7652d5251eccb93497bb6053ba7e8bdde3160423495afd3

MD5 hash:

f7b666298cfa08b739541f483336ccd1

SHA1 hash:

843b843db748309a21a8402e28a81e4b2dad849c

Detections:

INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess

check_installed_software

Mimikatz_Strings

GhostDragon_Gh0stRAT

MALWARE_Win_PCRat

MALWARE_Win_Zegost

potential_termserv_dll_replacement

Link:

https://www.unpac.me/results/bdaef0e6-80db-4af1-88c8-4a03f0bc38c5/

SH256 hash:

21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d

MD5 hash:

5cd3db9a24801fb7d01b7e589494c60f

SHA1 hash:

3c5d4d216dd1870f8c36c61624d980bd4311123c

Link:

https://www.unpac.me/results/bdaef0e6-80db-4af1-88c8-4a03f0bc38c5/

Malware family:

Gh0stRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/21a29333d125/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Armadillov1xxv2xx Create hunting rule
Author:	malware-lu

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	GhostDragon_Gh0stRAT Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:	https://blog.cylance.com/the-ghost-dragon

Rule name:	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess Create hunting rule
Author:	ditekSHen
Description:	Detects executables calling ClearMyTracksByProcess

Rule name:	MALWARE_Win_PCRat Create hunting rule
Author:	ditekSHen
Description:	Detects PCRat / Gh0st

Rule name:	MALWARE_Win_Zegost Create hunting rule
Author:	ditekSHen
Description:	Detects Zegost

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	Mimikatz_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Mimikatz_Strings_RID2DA0 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_Gh0st_ee6de6bc Create hunting rule
Author:	Elastic Security
Description:	Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetVolumeInformationA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::GetFileAttributesA KERNEL32.dll::FindFirstFileA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample