MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e8dd70c08a940466b486f393409fe74e3ec39c21ff60ddf6ffb1ee7a2511ed1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	3e8dd70c08a940466b486f393409fe74e3ec39c21ff60ddf6ffb1ee7a2511ed1
SHA3-384 hash:	6cfb5f2190fe511f88b7512eb60bc4e6d918200fd31b191f61f529607061ab0f1fac2df365708003bd577ee032ac5da8
SHA1 hash:	c2397b7188cffc8296d7af1ba5bb47439e094009
MD5 hash:	0ebd07f44c223d764ca0360f47f9a121
humanhash:	south-seven-south-fruit
File name:	3e8dd70c08a940466b486f393409fe74e3ec39c21ff60ddf6ffb1ee7a2511ed1
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	99'911 bytes
First seen:	2020-03-23 18:50:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	09d0478591d4f788cb3e5ea416c25237 (4 x Worm.Mofksys, 3 x Blackmoon, 2 x Gh0stRAT)
ssdeep	3072:uBrDtK9tu2GQqgpqlEwsuyL3u3w2x/GkQ5oZRp7gqSpe2:uSd2lm93uHsSp7gbZ
Threatray	38 similar samples on MalwareBazaar
TLSH	13A31241B4772B8BEA630D325FAD97A2B389BE04877B9A1C3197241969B4F3D5052332
Reporter	Marco_Ramilli
Tags:	exe Gh0stRAT

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.PecompactHeuris-1

PUA.Win.Packer.Pecompact-72

PUA.Win.Packer.Pecompact-74

PUA.Win.Packer.Pecompact-75

PUA.Win.Packer.Pecompact-69

SecuriteInfo.com.BackDoor.Generic_r.EHC.26103.31407.UNOFFICIAL

PUA.Win.Adware.Softpulse-6693799-0

Gathering data

Threat name:

Win32.Trojan.Farfli

Status:

Malicious

First seen:

2014-01-10 04:28:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Verdict:

malicious

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Gen_Net_LocalGroup_Administrators_Add_Command Create hunting rule
Author:	Florian Roth
Description:	Detects an executable that contains a command to add a user account to the local administrators group
Reference:	Internal Research

Rule name:	GhostDragon_Gh0stRAT Create hunting rule
Author:	Florian Roth
Description:	Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:	https://blog.cylance.com/the-ghost-dragon

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

exe 3e8dd70c08a940466b486f393409fe74e3ec39c21ff60ddf6ffb1ee7a2511ed1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/163774/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample