MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889
SHA3-384 hash: ba21815e96c71eec091f2a4ee6d2bfed12a44e29cc884b92fb8e6db20bb912ea7f8b6cd12948d3d5521b9ccbbe48dda2
SHA1 hash: 92fc4058baf9a6d33ca3232402c7bd5511000c11
MD5 hash: 6a5b8d421e055ede3b2dcbedb9d834d7
humanhash: fanta-fifteen-pip-pluto
File name:08328899.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:290'816 bytes
First seen:2023-05-31 06:37:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 95ae7d6a24929573b30af7d0da35ccfe (1 x Gh0stRAT)
ssdeep 6144:G9hIq9bEO1QIbgTApqQCsGQZt+3Y1tMmbWsccC6g6v66666ES66666E6kD66666m:cIquhLMpqXA+3Y12wWncC6g6v66666E+
Threatray 2 similar samples on MalwareBazaar
TLSH T19D549E0276C244B7C743A5316AEE3377A7FE96258F29A683473CFE1E7D38542912431A
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d4b2d4f0e8e8e460 (1 x Gh0stRAT)
Reporter Neiki
Tags:Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08328899.exe
Verdict:
Malicious activity
Analysis date:
2023-05-31 06:38:35 UTC
Tags:
loader
Link:
https://app.any.run/tasks/7f781221-f923-4061-acd6-02f205d21793

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393864/
Detection(s):
Win.Trojan.Mikey-9862566-0
Create hunting rule

Win.Trojan.Mikey-9862598-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Searching for many windows
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88769/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
keylogger lolbin shell32.dll
Link:
https://www.filescan.io/uploads/6476eb4cc55e8c7f61046de7/reports/74baae79-78a1-4be3-9f83-a670cf41ff66/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/baf28d9d-fe0e-4a2d-ad58-4cd600b80c84
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245804
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify clipboard data
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878814 Sample: 08328899.exe Startdate: 31/05/2023 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for dropped file 2->48 50 6 other signatures 2->50 8 08328899.exe 18 2->8         started        12 mmc.exe 30 35 2->12         started        15 mmc.exe 2->15         started        process3 dnsIp4 34 121.127.233.181, 22530, 49694, 49698 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 8->34 26 C:\Users\user\AppData\Local\...\bziqd[1].txt, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\...\bzim[1].txt, PE32 8->28 dropped 30 C:\ProgramData\windowsqd\winqd.exe, PE32 8->30 dropped 32 C:\ProgramData\windowsqd\test.exe, PE32 8->32 dropped 17 winqd.exe 2 8->17         started        20 test.exe 3 8->20         started        52 Modifies Group Policy settings 12->52 file5 signatures6 process7 signatures8 36 Antivirus detection for dropped file 17->36 38 Multi AV Scanner detection for dropped file 17->38 40 Machine Learning detection for dropped file 17->40 42 6 other signatures 17->42 22 cmd.exe 3 2 20->22         started        process9 process10 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-31 06:13:16 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=goupkeamdcekavpt5qry5qd6dlnuai5wn4lunhy7p22wph7m7ceq._file
Verdict:
malicious
Similar samples:
9793003669bcb9826d31c8dbb1c2d51097f661540d01ff8fffeb30ae1332a3c0
Gh0stRAT
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox rat rootkit trojan
Link:
https://tria.ge/reports/230531-hd2spsdg41/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889
MD5 hash:
6a5b8d421e055ede3b2dcbedb9d834d7
SHA1 hash:
92fc4058baf9a6d33ca3232402c7bd5511000c11
Link:
https://www.unpac.me/results/5f0fd67d-24f4-413c-95b7-c1476fe29d73/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/33a8f5100c18/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MiKey
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Create hunting rule
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/393864/

Comments