MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dc6f7b7778c8ecdc72aa4bf34932f6806197fd3746afd720e2deff49206ab40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dc6f7b7778c8ecdc72aa4bf34932f6806197fd3746afd720e2deff49206ab40
SHA3-384 hash: f2275a2de3c4acaec6edf853ec9efa2d149b54b37febd4e151fee7af2a84af46dcd4f2d66abda9d1b0957ca25edb731e
SHA1 hash: ad3361b6c54eb760db68bdd92e81b1e685a2e29e
MD5 hash: 102012b36c1b0b77234cc0f135e58a87
humanhash: alaska-black-carpet-five
File name:3DC6F7B7778C8ECDC72AA4BF34932F6806197FD3746AF.dll
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:118'784 bytes
First seen:2022-04-17 07:10:38 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 61e86d955d9c20723adccf240cb0576b (1 x Gh0stRAT)
ssdeep 3072:XaaIIf5xahjjNfpDhBns1MWVUvwTcvrH9:qWHahtJhZ+bUvwAv
Threatray 44 similar samples on MalwareBazaar
TLSH T10AC36C03F58740FAE5A8157C14FB3776D63F6BA98B1B9F836B14DA650822110DB223CA
TrID 33.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
14.0% (.SCR) Windows screen saver (13101/52/3)
11.2% (.EXE) Win64 Executable (generic) (10523/12/4)
7.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:dll Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
183.236.2.18:2011

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
183.236.2.18:2011 https://threatfox.abuse.ch/ioc/520608/

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PcClient
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264153/
Detection(s):
Win.Trojan.Farfli-9754465-0
Create hunting rule

Win.Trojan.Magania-18121
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a service
Creating a file
Creating a file in the Windows directory
Launching a service
DNS request
Sending a custom TCP request
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Barys
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4920980-87f2-417a-805c-c7fa8b1898cb
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977799
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 610286 Sample: 3DC6F7B7778C8ECDC72AA4BF349... Startdate: 17/04/2022 Architecture: WINDOWS Score: 100 45 masan3033.3322.org 2->45 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for dropped file 2->55 57 7 other signatures 2->57 9 svchost.exe 2->9         started        12 loaddll32.exe 2 2->12         started        14 svchost.exe 1 2 2->14         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 63 System process connects to network (likely due to code injection or exploit) 9->63 65 Found stalling execution ending in API Sleep call 9->65 67 Checks if browser processes are running 9->67 69 Contains functionality to detect sleep reduction / modifications 9->69 19 rundll32.exe 1 4 12->19         started        23 cmd.exe 1 12->23         started        25 rundll32.exe 1 2 12->25         started        47 masan3033.3322.org 183.236.2.18, 2011, 49715, 49722 CMNET-GUANGDONG-APChinaMobilecommunicationscorporation China 14->47 49 127.0.0.1 unknown unknown 17->49 71 Query firmware table information (likely to detect VMs) 17->71 73 Changes security center settings (notifications, updates, antivirus, firewall) 17->73 27 MpCmdRun.exe 17->27         started        signatures6 process7 file8 41 C:\Windows\FileName.jpg, PE32 19->41 dropped 43 C:\Windows\FileName.jpg:Zone.Identifier, ASCII 19->43 dropped 59 Checks if browser processes are running 19->59 61 Contains functionality to detect sleep reduction / modifications 19->61 29 WerFault.exe 9 19->29         started        31 WerFault.exe 19->31         started        33 rundll32.exe 2 2 23->33         started        35 WerFault.exe 2 9 25->35         started        37 conhost.exe 27->37         started        signatures9 process10 process11 39 WerFault.exe 23 9 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dc6f7b7778c8ecdc72aa4bf34932f6806197fd3746afd720e2deff49206ab40/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2011-05-22 12:57:00 UTC
File Type:
PE (Dll)
Extracted files:
3
AV detection:
33 of 42 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxdppn3xrshm3rzkus7tjezpnadbs76torvp24qofxx7jeqgvnaa._file
Verdict:
malicious
Similar samples:
0e723b24c00d40e82c3040be920ea71fa0c8f868d009f66310250f7286eeb3c7
Gh0stRAT
1572e78bd040b8ba1a070b495df92ad34deb842e8edd732c1e4dc2c83f76357c
Gh0stRAT
83fbbd31e43ad25a8921c98d97b287ebc8902451f7647c2266e5f0688471e8b6
Gh0stRAT
8b2737b9bcdf1165a19175c93619a6b659383b481ac0e83a5f361bc18bc69357
Gh0stRAT
a5a8a35bc7f082b6107a1b19ecd0b78d4467b4159689ef6d1030be7d1ba19c6c
Gh0stRAT
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220417-hzyceadah2/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
3dc6f7b7778c8ecdc72aa4bf34932f6806197fd3746afd720e2deff49206ab40
MD5 hash:
102012b36c1b0b77234cc0f135e58a87
SHA1 hash:
ad3361b6c54eb760db68bdd92e81b1e685a2e29e
Link:
https://www.unpac.me/results/b3e576d5-bd80-4e3e-8880-87fb7be4af31/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3dc6f7b7778c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
PcClient
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3dc6f7b7778c8ecdc72aa4bf34932f6806197fd3746afd720e2deff49206ab40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264153/

Comments