MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
SHA3-384 hash: fa5f3a6f5fec965f279fc0ae9c8660da8562fa2369daf8071020f73695cb5355aa19fddaadf1421e2bff1873bb7d1901
SHA1 hash: e13b7ab9b10d698bb766141fccae0e7cf19c7195
MD5 hash: eb896b51453c804f14c11eee64c0ff79
humanhash: idaho-tennis-juliet-undress
File name:eb896b51453c804f14c11eee64c0ff79.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:384'000 bytes
First seen:2024-06-16 13:29:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92cbf1b7939e726b820cc211fce00750 (5 x Gh0stRAT)
ssdeep 6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8Nh+5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyzd
Threatray 76 similar samples on MalwareBazaar
TLSH T172841210A0FE4C19C2C521700D2DAF8A6CBA50E52EB01C5FBEADFF765DF59D89028697
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa.exe
Verdict:
Malicious activity
Analysis date:
2024-06-16 13:52:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b91d282b-a1be-42fe-b781-e222d9b76cbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Farfli-9645812-0
Create hunting rule

Win.Trojan.Farfli-9645833-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666eea3a89a0563951f7e680win10vpnfull_triage
Tags:
Execution Network Farfli
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file in the drivers directory
Creating a window
Loading a system driver
Connection attempt to an infection source
Launching a process
Creating a file
Enabling autorun for a service
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc farfli microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/666ee8de26c925aa13a6761d/reports/81bb8962-98dd-418e-b4bd-ab9fbfe0b44a/overview
Verdict:
Malicious
Labled as:
Trojan.Farfli
Link:
https://www.hybrid-analysis.com/sample/311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hidden Rootkit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f57723da-c952-4536-aa4f-436e849000da
Result
Threat name:
GhostRat, Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1458039
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected GhostRat
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1458039 Sample: XQM33Vtxm3.exe Startdate: 16/06/2024 Architecture: WINDOWS Score: 100 40 www2.micrr0soft.com 2->40 42 26.165.165.52.in-addr.arpa 2->42 44 198.187.3.20.in-addr.arpa 2->44 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 8 other signatures 2->60 8 Dumdu.exe 2->8         started        11 XQM33Vtxm3.exe 1 2 2->11         started        14 svchost.exe 2->14         started        signatures3 process4 file5 62 Antivirus detection for dropped file 8->62 64 Multi AV Scanner detection for dropped file 8->64 66 Machine Learning detection for dropped file 8->66 68 Drops executables to the windows directory (C:\Windows) and starts them 8->68 16 Dumdu.exe 14 1 8->16         started        34 C:\Windows\SysWOW64\Dumdu.exe, PE32 11->34 dropped 36 C:\Windows\...\Dumdu.exe:Zone.Identifier, ASCII 11->36 dropped 21 cmd.exe 1 11->21         started        23 MpCmdRun.exe 2 11->23         started        signatures6 process7 dnsIp8 38 www2.micrr0soft.com 156.241.4.189, 10092, 49700, 49705 SIA-HK-ASSkyExchangeInternetAccessHK Seychelles 16->38 32 C:\Windows\System32\drivers\QAssist.sys, PE32+ 16->32 dropped 48 Sample is not signed and drops a device driver 16->48 50 Uses ping.exe to sleep 21->50 52 Uses ping.exe to check the status of other devices and networks 21->52 25 PING.EXE 1 21->25         started        28 conhost.exe 21->28         started        30 conhost.exe 23->30         started        file9 signatures10 process11 dnsIp12 46 127.0.0.1 unknown unknown 25->46
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa/
Threat name:
Win32.Trojan.GhostRAT
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 00:00:46 UTC
File Type:
PE (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=geizr3vxnrolbaivcrjkomkzygkdaajbkfpd7wdvikivfltxmgva._file
Verdict:
malicious
Similar samples:
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
Gh0stRAT
161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49
Gh0stRAT
45b9b5a84f5275c59e017c2d3d685da689d39478dac5464b5acab97ef42073e0
Gh0stRAT
70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
Gh0stRAT
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
Gh0stRAT
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
Gh0stRAT
ad8bb6a26ffb2234855a89f214ac91cc98c8e53910a181f7cf9828062a734c03
Gh0stRAT
ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f
Gh0stRAT
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
Gh0stRAT
+ 66 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox persistence rat rootkit trojan upx
Link:
https://tria.ge/reports/240616-qrtm9ayfrq/
Behaviour
Runs ping.exe
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Drivers directory
Sets service image path in registry
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
c1693173b9c6738f4c2f377acf7a3804431410857f0881e6fcbf1ad804bb8999
MD5 hash:
c626161fde88be001c9a75c538bb8a4a
SHA1 hash:
9885b917b4d3aeb73d3257770815f82e45803fd3
Detections:
check_installed_software
Create hunting rule
Mimikatz_Strings
Create hunting rule
Hidden
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/6f16f736-244c-4ec0-8eba-c0dc62dc1db2/
Parent samples :
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
SH256 hash:
94d4843e465dbc3848e41eb8c35fd838918ab11c44f5c87138222e07a7e31c62
MD5 hash:
d773675a2d9daf5110251355ac75d1a1
SHA1 hash:
110eb24442fea5a674ffa5618984632a3bf620fc
Detections:
Hidden
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/6f16f736-244c-4ec0-8eba-c0dc62dc1db2/
Parent samples :
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
SH256 hash:
b0e4be5ab0106b3547bd4c997e9affd916e99c202e855cee5ff9aa87e9e37f0a
MD5 hash:
f42911de75d64d94e2c6e916c212a686
SHA1 hash:
057b9bf7518dfe895649d5de9a8f3b6a075c4554
Detections:
Hidden
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/6f16f736-244c-4ec0-8eba-c0dc62dc1db2/
Parent samples :
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
SH256 hash:
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
MD5 hash:
eb896b51453c804f14c11eee64c0ff79
SHA1 hash:
e13b7ab9b10d698bb766141fccae0e7cf19c7195
Link:
https://www.unpac.me/results/6f16f736-244c-4ec0-8eba-c0dc62dc1db2/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/311198eeb76c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2891701/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA

Comments