MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b0f36a54f41ddf97236593602090cfcbc4d550c6cdca08d09a483b3d5b7ba6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b0f36a54f41ddf97236593602090cfcbc4d550c6cdca08d09a483b3d5b7ba6c
SHA3-384 hash: daf26862abea702082606dba5888bdb821d661d4cfe52e0286534afb7b737bbb4c660512dcf2558482217f89d97a18a5
SHA1 hash: 2635112b75a180aa8a3fa31efc5c23b7b3d60b0d
MD5 hash: 31e8c459191e48965eba2e6e50f9f70c
humanhash: nitrogen-spaghetti-double-cold
File name:stin.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:571'904 bytes
First seen:2021-07-21 21:10:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9111a2909fdc32004a0ae869e1b26c4b (1 x Gh0stRAT)
ssdeep 3072:kfOUGryfXg9B9VfQdI4N/gVXBBuavdO+avOD6tGX2:syl9bxb454VdOjvW6t
Threatray 12 similar samples on MalwareBazaar
TLSH T125C450D7649C4942D7581272F9CB05B38537AC3A20E7322B5DD47FB933AE09E93A6183
dhash icon f068b296cc9268f0 (1 x Gh0stRAT)
Reporter James_inthe_box
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
stin.exe
Verdict:
No threats detected
Analysis date:
2021-07-21 21:13:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e841fe8-9f0c-4280-8eb3-1e839279f6cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173178/
Detection(s):
Win.Trojan.Generic-6305873-0
Create hunting rule

Win.Trojan.Farfli-9754465-0
Create hunting rule

Win.Trojan.Farfli-9763835-0
Create hunting rule

Win.Trojan.Magania-9773343-0
Create hunting rule

Win.Dropper.Gh0stRAT-9856137-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1409c059-8bcc-4195-85f8-55a7c3ba4c3b
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819784
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Contains functionality to modify windows services which are used for security filtering and protection
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b0f36a54f41ddf97236593602090cfcbc4d550c6cdca08d09a483b3d5b7ba6c/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 07:51:58 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmhtnjkpiho7s4rwle3aecim7s6e2vimntokbdijusb3hvnxxjwa._file
Verdict:
malicious
Similar samples:
248c72c5eb7823243a820b9935e49534d8a94b91a6528afd8db98c9e8f56fbc0
Gh0stRAT
389ddb82e254c476a6e3e2534182314d4702ce525371c2bcd5da6ef19d4851fb
Gh0stRAT
3e8dd70c08a940466b486f393409fe74e3ec39c21ff60ddf6ffb1ee7a2511ed1
Gh0stRAT
43f2dc3cf7c1a7deb7093ee23ac547e339772c3efca764d136b1d42542c34b0f
Gh0stRAT
79a72a4ecd40dc06db04c402f2c5881af3918bb42236922f5838f820acea64cf
Gh0stRAT
a66d1021e54269963e9a54892869d569ffa1c74d9fb1b67f023ea5fdfd90c1a6
Gh0stRAT
a848fa16033d9227dc16aae2e3a96b13c8f53f9c898dd316ef541ac86ec22b1d
Gh0stRAT
b89c262b14911c4480ed00b35a53500ecabb8f9df4169f2a84c3028f468cff48
Gh0stRAT
ea45f9b3dd2e613bb9cb0659dcf6d66ca092738fc510e37226bb99542ad685c8
Gh0stRAT
eb6478f051ae5b16921ed95f6a2f761512c79787ac2b54f0d00742ad526c34b8
Gh0stRAT
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210721-vlsazxnsqx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
2b0f36a54f41ddf97236593602090cfcbc4d550c6cdca08d09a483b3d5b7ba6c
MD5 hash:
31e8c459191e48965eba2e6e50f9f70c
SHA1 hash:
2635112b75a180aa8a3fa31efc5c23b7b3d60b0d
Link:
https://www.unpac.me/results/2a896b80-88ab-4faa-a0fa-69e74617e3cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
PcClient
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b0f36a54f41ddf97236593602090cfcbc4d550c6cdca08d09a483b3d5b7ba6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/173178/

Comments