MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35974873a02e6bb71b7d10a3c280e9bed19f656d094741c991475dab91099620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 11 File information Comments

SHA256 hash:	35974873a02e6bb71b7d10a3c280e9bed19f656d094741c991475dab91099620
SHA3-384 hash:	bcf83ddbc3c8bbb66109377eea0603b90cae41d6098c9361a69af8227460902f12dbe31436e9a6ae2fcf45744791fcd0
SHA1 hash:	c9314ca68f7dbb5257e8754520bebf7a49ec3d34
MD5 hash:	ac0ae3f1dcb228ead83ea9e2ef8668bb
humanhash:	snake-saturn-magnesium-autumn
File name:	ac0ae3f1dcb228ead83ea9e2ef8668bb.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	636'022 bytes
First seen:	2023-03-13 10:22:27 UTC
Last seen:	2023-03-13 11:28:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	73ec795c6c369c6ce2c3b4c3f6477daa (12 x Gh0stRAT, 5 x MimiKatz, 1 x Redosdru)
ssdeep	12288:VODDEEuqctaY5effnWQ7x7dJsPMR1F4fWDNo5F/oJBprSqYeJGDw+125:VODoTqctaY5effnW8RDsXOvvYh1C
Threatray	98 similar samples on MalwareBazaar
TLSH	T124D423DAF2CC9430C02EB6B96DFBE6125214AD656E33DB4F6D8CE009483D95F4CE65A0
TrID	56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.1% (.EXE) Win32 Executable (generic) (4505/5/1) 3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	bcadaea686868633 (11 x Gh0stRAT)
Reporter	abuse_ch
Tags:	exe Gh0stRAT

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ac0ae3f1dcb228ead83ea9e2ef8668bb.exe

Verdict:

Malicious activity

Analysis date:

2023-03-13 10:33:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/08562b96-56d8-4f10-9bc0-95372aa905df

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Zegost

Link:

https://www.capesandbox.com/analysis/373991/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/72939/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

83%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/640ef98b8cf57265b25abb22/reports/cb610d75-0ec9-4d20-8151-a9cd1060c9ea/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/35974873a02e6bb71b7d10a3c280e9bed19f656d094741c991475dab91099620

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/96eeb5b4-8ca7-4416-9cb4-03246efb3883

Result

Threat name:

GhostRat, Nitol

Detection:

malicious

Classification:

troj

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1192398

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected GhostRat

Yara detected Nitol

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35974873a02e6bb71b7d10a3c280e9bed19f656d094741c991475dab91099620/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2023-03-13 09:03:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gwluq45afzv3og35ccr4fahjx3iz6zlnbfdudsmri5o2xeijsyqa._file

Verdict:

malicious

Gh0stRAT

14e364c76ecb11ece52cf5ae57e0b132abc363a54c14a79acb11794c9cc2f2b0

Gh0stRAT

1bd4eeb7f7ae8a4ca1fb2fcf673cbb810ca123d6672a1d6d10ed317688ffcfac

Gh0stRAT

944163147cc3579183fd8e7aae63772e52952d6afb7ae8a9f1205876c6914559

Gh0stRAT

c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9

Gh0stRAT

c6af3ecd4095b7625da3136f209818c4d96689289eddfc3dcff444db9d4ca9c1

Gh0stRAT

cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e

Gh0stRAT

dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c

Gh0stRAT

f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170

Gh0stRAT

+ 88 additional samples on MalwareBazaar

Result

Malware family:

purplefox

Score:

10/10

Tags:

family:gh0strat family:purplefox rat rootkit trojan

Link:

https://tria.ge/reports/230313-mevs1abh9s/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Enumerates connected drives

Detect PurpleFox Rootkit

Gh0st RAT payload

Gh0strat

PurpleFox

Unpacked files

SH256 hash:

838e034e27aa37c05bc9df1ec553990ee64afbe6adffa03a6f3decb730a2caca

MD5 hash:

c05674d936917dc6989f44ffdba28a24

SHA1 hash:

6ddbb07cd66f86ed937a1c7938fae4ec6c354950

Link:

https://www.unpac.me/results/8a3a9a2f-7e9b-47cd-94e1-2c6e94499020/

Parent samples :

83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3
eaa840e393c8f8a3bdcd865ea6eff59f586e14bd9c3518d88098062056964281
40e261e7bffce05b06dc3d6feaa430d310ec8bde473e1136255965b8aa28f925
5e4f250d0488ca67cd13e2e8c50eba3f8b6da8b99095a561378eab18bcd4a4a0
68abafd00ce80bf87b40ac64359794d75bedc8799e787511e6bd20f6a88295d2

SH256 hash:

35974873a02e6bb71b7d10a3c280e9bed19f656d094741c991475dab91099620

MD5 hash:

ac0ae3f1dcb228ead83ea9e2ef8668bb

SHA1 hash:

c9314ca68f7dbb5257e8754520bebf7a49ec3d34

Link:

https://www.unpac.me/results/8a3a9a2f-7e9b-47cd-94e1-2c6e94499020/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farfli

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/35974873a02e6bb71b7d10a3c280e9bed19f656d094741c991475dab91099620

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Hidden Create hunting rule
Author:	@bartblaze
Description:	Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:	https://github.com/JKornev/hidden

Rule name:	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess Create hunting rule
Author:	ditekSHen
Description:	Detects executables calling ClearMyTracksByProcess

Rule name:	INDICATOR_TOOL_RTK_HiddenRootKit Create hunting rule
Author:	ditekSHen
Description:	Detects the Hidden public rootkit

Rule name:	MALWARE_Win_FatalRAT Create hunting rule
Author:	ditekSHen
Description:	Detects FatalRAT

Rule name:	MALWARE_Win_PCRat Create hunting rule
Author:	ditekSHen
Description:	Detects PCRat / Gh0st

Rule name:	MALWARE_Win_Zegost Create hunting rule
Author:	ditekSHen
Description:	Detects Zegost

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Windows_Trojan_Gh0st_ee6de6bc Create hunting rule
Author:	Elastic Security
Description:	Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

exe 35974873a02e6bb71b7d10a3c280e9bed19f656d094741c991475dab91099620

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2561380/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/373991/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample