MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b731d42e9a0f8df3d89aa32eecc096ab031b5d825957e33a1a7b65763682817. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 6

Intelligence 6 IOCs 1 YARA 8 File information Comments

SHA256 hash:	3b731d42e9a0f8df3d89aa32eecc096ab031b5d825957e33a1a7b65763682817
SHA3-384 hash:	6c2a9697ecfd7243430105990756746eee20abde5be5bdd0303ea4aa0ecb5ffd535546a751542231df4fb39820eb7a55
SHA1 hash:	f0b566ee9ac79ef8645b05367a20850112d6feb1
MD5 hash:	487396a8bdc78e9e3a7e870a799f73f2
humanhash:	lima-july-bakerloo-stairway
File name:	3b731d42e9a0f8df3d89aa32eecc096ab031b5d825957.dll
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	392'192 bytes
First seen:	2021-09-20 19:36:01 UTC
Last seen:	2021-09-20 20:57:01 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	ea9a2ca34d2afbc261acd3a1ff33f1cf (1 x Gh0stRAT)
ssdeep	6144:p6IkicY+TdQcsRWzrThoecrMt3aQ450MJB3bvwHNlZJ6I6MaXwKBum0wEYS25iay:p6BkcsRqJo4t3iPPGNrsIeXwKAm9EYPO
Threatray	2 similar samples on MalwareBazaar
TLSH	T1B884234A824DB8A0F4B236796AD7AE3F7398F9D52952CF1F890189C93C5DD30361B631
Reporter	abuse_ch
Tags:	dll Gh0stRAT

abuse_ch

Gh0stRAT C2:
103.145.87.50:7777

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
103.145.87.50:7777	https://threatfox.abuse.ch/ioc/224087/

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Zegost

Link:

https://www.capesandbox.com/analysis/189597/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.46996202.7765.25242.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00456818-33a3-4bbf-9125-fbf1be5bf1df

Result

Threat name:

Mimikatz

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/854414

Signature

Detected VMProtect packer

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected Mimikatz

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b731d42e9a0f8df3d89aa32eecc096ab031b5d825957e33a1a7b65763682817/

Threat name:

Win32.Infostealer.Magania

Status:

Malicious

First seen:

2021-09-19 19:47:00 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hnzr2qxjud4n6pmjvizo5tajnkyddnoyewkx4m5bu63foy3ifalq._file

Verdict:

malicious

Gh0stRAT

97fc461fd24104740310bd741f7f8ebf489e640aa93a0556640455e674f82a22

Gh0stRAT

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata vmprotect

Link:

https://tria.ge/reports/210920-ya81lshhdl/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates connected drives

Blocklisted process makes network request

VMProtect packed file

suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39

Unpacked files

SH256 hash:

606cf7c09b1f243869e6eb51dbeecda95b48f5ebe4c9a5e4b66ce221c0310a08

MD5 hash:

94938f3cfd640e65f94ff609f9ca4d02

SHA1 hash:

6a08f4bd03787f69dd4ef3883ac3ae0711f46c22

Link:

https://www.unpac.me/results/3f040e9e-17b9-4cbe-842a-bbab5cadf852/

SH256 hash:

35ce473c29712d4ddaa9d3f0d59112c71afc1785b3970ef0bbbc319ef773121d

MD5 hash:

9fbe7dcd43ce7a3dbd0e5f34337a59c5

SHA1 hash:

98215f20fb80baf307e622ebd378643f3b631342

Link:

https://www.unpac.me/results/3f040e9e-17b9-4cbe-842a-bbab5cadf852/

SH256 hash:

3b731d42e9a0f8df3d89aa32eecc096ab031b5d825957e33a1a7b65763682817

MD5 hash:

487396a8bdc78e9e3a7e870a799f73f2

SHA1 hash:

f0b566ee9ac79ef8645b05367a20850112d6feb1

Link:

https://www.unpac.me/results/3f040e9e-17b9-4cbe-842a-bbab5cadf852/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.24

Link:

https://yomi.yoroi.company/submissions/3b731d42e9a0f8df3d89aa32eecc096ab031b5d825957e33a1a7b65763682817

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	GhostDragon_Gh0stRAT Create hunting rule
Author:	Florian Roth
Description:	Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:	https://blog.cylance.com/the-ghost-dragon

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess Create hunting rule
Author:	ditekSHen
Description:	Detects executables calling ClearMyTracksByProcess

Rule name:	MALWARE_Win_Zegost Create hunting rule
Author:	ditekSHen
Description:	Detects Zegost

Rule name:	Mimikatz_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Mimikatz_Strings_RID2DA0 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Winnti_NlaifSvc Create hunting rule
Author:	Florian Roth
Description:	Winnti sample - file NlaifSvc.dll
Reference:	https://goo.gl/VbvJtL

Rule name:	Winnti_NlaifSvc_RID2CFF Create hunting rule
Author:	Florian Roth
Description:	Winnti sample - file NlaifSvc.dll
Reference:	https://goo.gl/VbvJtL

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/189597/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample