MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45b9b5a84f5275c59e017c2d3d685da689d39478dac5464b5acab97ef42073e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45b9b5a84f5275c59e017c2d3d685da689d39478dac5464b5acab97ef42073e0
SHA3-384 hash: 7d3e7fef52d4e23edfbd25fa1ed68ee0eca8f520635a917f5ddab3a6be47e34254ec82c36165dbc2a5f43438f61dfa63
SHA1 hash: 1fb5f34bff4629779af1c3318a59899aaa4805b0
MD5 hash: 04c71f94367c495e5e9d7ed91fdeb190
humanhash: four-hydrogen-one-bacon
File name:04c71f94367c495e5e9d7ed91fdeb190
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:384'000 bytes
First seen:2021-06-24 14:37:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 92cbf1b7939e726b820cc211fce00750 (5 x Gh0stRAT)
ssdeep 6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8NhA5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyJd
Threatray 34 similar samples on MalwareBazaar
TLSH 2A841210A4FE4C19C2C521700D2DAF8A6CBA50E52EB01C4FBEADFF765DF59D89028697
Reporter zbetcheckin
Tags:32 exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
04c71f94367c495e5e9d7ed91fdeb190
Verdict:
No threats detected
Analysis date:
2021-06-24 14:41:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/571c7142-f780-4019-ac61-cf6184babe62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168059/
Detection(s):
Win.Trojan.Farfli-9645812-0
Create hunting rule

Win.Trojan.Farfli-9645833-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Farfli
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a710663-d50b-4fca-8e22-cd7a110bdda2
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807556
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439967 Sample: ONwfwPqLM4 Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 3 other signatures 2->44 7 mysql.exe 2->7         started        10 ONwfwPqLM4.exe 1 2 2->10         started        13 svchost.exe 2->13         started        15 5 other processes 2->15 process3 file4 52 Antivirus detection for dropped file 7->52 54 Multi AV Scanner detection for dropped file 7->54 56 Machine Learning detection for dropped file 7->56 58 Drops executables to the windows directory (C:\Windows) and starts them 7->58 17 mysql.exe 14 1 7->17         started        30 C:\Windows\SysWOW64\mysql.exe, PE32 10->30 dropped 32 C:\Windows\...\mysql.exe:Zone.Identifier, ASCII 10->32 dropped 22 cmd.exe 1 10->22         started        signatures5 process6 dnsIp7 34 121.4.183.54, 1144, 49720 ONQ-AS-APOnQAU China 17->34 28 C:\Windows\System32\drivers\QAssist.sys, PE32+ 17->28 dropped 46 Sample is not signed and drops a device driver 17->46 36 127.0.0.1 unknown unknown 22->36 48 Uses ping.exe to sleep 22->48 50 Uses ping.exe to check the status of other devices and networks 22->50 24 conhost.exe 22->24         started        26 PING.EXE 1 22->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45b9b5a84f5275c59e017c2d3d685da689d39478dac5464b5acab97ef42073e0/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 07:25:26 UTC
AV detection:
41 of 46 (89.13%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49
Gh0stRAT
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
Gh0stRAT
70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
Gh0stRAT
8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905
Gh0stRAT
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
Gh0stRAT
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
Gh0stRAT
ad8bb6a26ffb2234855a89f214ac91cc98c8e53910a181f7cf9828062a734c03
Gh0stRAT
ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f
Gh0stRAT
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Gh0stRAT
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
Gh0stRAT
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210624-19tew3flhn/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Enumerates connected drives
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
Unpacked files
SH256 hash:
c1693173b9c6738f4c2f377acf7a3804431410857f0881e6fcbf1ad804bb8999
MD5 hash:
c626161fde88be001c9a75c538bb8a4a
SHA1 hash:
9885b917b4d3aeb73d3257770815f82e45803fd3
Link:
https://www.unpac.me/results/2a4736ec-6ffc-4232-8d21-9a37893b170a/
Parent samples :
14f381c0d75d7477de4bc89012f6916dcf1d373c4ebb23684baa73ddd3bef054
311198eeb76c5cb081151452a73159c194300121515e3fd875429152ae7761aa
SH256 hash:
45b9b5a84f5275c59e017c2d3d685da689d39478dac5464b5acab97ef42073e0
MD5 hash:
04c71f94367c495e5e9d7ed91fdeb190
SHA1 hash:
1fb5f34bff4629779af1c3318a59899aaa4805b0
Link:
https://www.unpac.me/results/2a4736ec-6ffc-4232-8d21-9a37893b170a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45b9b5a84f5275c59e017c2d3d685da689d39478dac5464b5acab97ef42073e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 45b9b5a84f5275c59e017c2d3d685da689d39478dac5464b5acab97ef42073e0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394858/
Cape
Cape
https://www.capesandbox.com/analysis/168059/

Comments