MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3179fe15e7ff91a0e02a7a75667f8c230e95817d1ac0e0fb0f34a74d33c0b8ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3179fe15e7ff91a0e02a7a75667f8c230e95817d1ac0e0fb0f34a74d33c0b8ad
SHA3-384 hash: 005e88e647437074fa654b59c63df009980ded18c20d5b19ef776aceb81279aec1abd162965d09d9dce00b705bbb7d63
SHA1 hash: a7d242776ebdd55d494f24f3a96b48c1acd574dd
MD5 hash: 99d66cd7da25f37b13936ce6f0f939d7
humanhash: mike-kitten-oranges-earth
File name:99d66cd7da25f37b13936ce6f0f939d7.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:5'062'656 bytes
First seen:2021-09-06 12:30:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b67c182997c6caacb0b141d8d598664 (1 x Gh0stRAT)
ssdeep 98304:XSse110tnw6AOXu57bC4RqlrjAe8VhhSEYEniZqgE2NFE6Wq+Pw1rhWixOU2tlOk:XEyWO+57bC8CAe8TMjNHN+PI9xLoMPsZ
Threatray 115 similar samples on MalwareBazaar
TLSH T1F1361223B55280B3C1E5213564FB2F357EF4BA590A25C9E393E4DEB93C22570DA2721E
dhash icon 79f8ccccccb2cccc (1 x Gh0stRAT, 1 x Ramnit)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
139.155.178.173:19060

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
139.155.178.173:19060 https://threatfox.abuse.ch/ioc/216195/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
99d66cd7da25f37b13936ce6f0f939d7.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-06 12:33:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c12d87a0-0f01-4584-a03e-0a64c476ecea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nitol
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185651/
Detection(s):
Win.Malware.Vmprotect-6824127-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Sending a UDP request
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5aefeba6-2c34-4afa-8b76-7dd8a0834457
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/845977
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3179fe15e7ff91a0e02a7a75667f8c230e95817d1ac0e0fb0f34a74d33c0b8ad/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2021-07-31 06:45:00 UTC
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gf474fph76i2bybkpj2wm74memhjlal5dlaob6ypgstu2m6axcwq._file
Verdict:
malicious
Similar samples:
2e13c882d28c2236893a0a543e67c74a4f2e560d98c98b800f95c07938156a37
Gh0stRAT
37877d87fff1b903df41bdb21fb500b0371f72de500c6f6768aec4d76966de67
Gh0stRAT
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
Gh0stRAT
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306
Gh0stRAT
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
Gh0stRAT
b6a56587ff63ad2c27323d56510915125be1f171324029353303659eb438d0ed
Gh0stRAT
bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
Gh0stRAT
d003e8350d5dc3823f7c415c4b901a24c5731307bb3d0f464b3630bb1e0cb2ba
Gh0stRAT
e6902e5efb53a1de2af93809a5103603aa8115e0f80fa95ade2461947bff4c7e
Gh0stRAT
f7a8d3fb89711f208f281c267ed8dd647cda207ecb514d37892b56a0ddafbe9a
Gh0stRAT
+ 105 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata upx
Link:
https://tria.ge/reports/210906-ppjvlaebhl/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
suricata: ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
ad75817b147fbb02806c839e65f1a930d5448570545ab73066905f408c6db2dd
MD5 hash:
c83fd1e6a621482a7db1bde0c2050b0c
SHA1 hash:
d092a23fbe2af35e4d36fd91fc168b95aba5bb78
Link:
https://www.unpac.me/results/8d9c69f0-a0c7-47b1-81a7-ea5299869b8b/
SH256 hash:
96ca1aa12152995c31d69c29427e640bb77be1735b5320d068cc73dd8c01acab
MD5 hash:
a4aa46a06d72f4813361e804525d1ad2
SHA1 hash:
5f368b5805c7cb6e0d0a454a1a230c309c6cf06b
Link:
https://www.unpac.me/results/8d9c69f0-a0c7-47b1-81a7-ea5299869b8b/
SH256 hash:
e16093473ecd29273e97a31eab10a14389f8bf942a420dbb8a3a03fe936a3498
MD5 hash:
05d1bd713239ed64279fa3f010d7617e
SHA1 hash:
4f4ff25c8e856fef2a2ebdafcebbad9aed2fbd7f
Link:
https://www.unpac.me/results/8d9c69f0-a0c7-47b1-81a7-ea5299869b8b/
SH256 hash:
df145bd8fee985e71f58cc3786a457ce088e6eebdfb92c1cea2cf425b1875376
MD5 hash:
efe984b0f35e0e928a70f731e1cc3e3d
SHA1 hash:
37da05f7d42847004b2a8ecd40e039676d06da85
Link:
https://www.unpac.me/results/8d9c69f0-a0c7-47b1-81a7-ea5299869b8b/
SH256 hash:
3179fe15e7ff91a0e02a7a75667f8c230e95817d1ac0e0fb0f34a74d33c0b8ad
MD5 hash:
99d66cd7da25f37b13936ce6f0f939d7
SHA1 hash:
a7d242776ebdd55d494f24f3a96b48c1acd574dd
Link:
https://www.unpac.me/results/8d9c69f0-a0c7-47b1-81a7-ea5299869b8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/3179fe15e7ff91a0e02a7a75667f8c230e95817d1ac0e0fb0f34a74d33c0b8ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Nitol
Create hunting rule
Author:ditekSHen
Description:Detects Nitol backdoor
Rule name:win_younglotus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.younglotus.
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 3179fe15e7ff91a0e02a7a75667f8c230e95817d1ac0e0fb0f34a74d33c0b8ad

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/185651/
  
URLhaus
https://urlhaus.abuse.ch/url/1596852/
  
Delivery method
Distributed via web download

Comments