MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4853453ba12dde157cec10692eb874f34f333a6ccfb0782bf36ba2c3a57713dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stCringe


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4853453ba12dde157cec10692eb874f34f333a6ccfb0782bf36ba2c3a57713dc
SHA3-384 hash: 9f436d9a6adba89dbb89d36bf548449bb192212273a7e0826d4d30d1d7ce46f03f9068b1a670f04d01a4381036514d67
SHA1 hash: 468792ac4238de6340b53c1dac05ab3ff594d29f
MD5 hash: 02b29a12ebf1b0b08ce33918d059882a
humanhash: carpet-wisconsin-apart-two
File name:02b29a12ebf1b0b08ce33918d059882a
Download: download sample
Signature Gh0stCringe
Create hunting rule
File size:63'488 bytes
First seen:2021-10-01 13:46:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d9c7208ff3022bb34870c7ddeb406eb1 (5 x Gh0stCringe, 1 x Ramnit, 1 x Gh0stRAT)
ssdeep 768:jbz3IhpglwpDEq2m0j6Tf8V4Ie7ZZa3R1fb961vNPrl7EJnCJ0ulN:n4+wpDElm2IAUZZo1fbs1RVEZCJ0g
Threatray 15 similar samples on MalwareBazaar
TLSH T1F653070DE69FF0E2FB517530260E66328EBDB82C853C951F2E56694D1CF5B80A4AD372
Reporter zbetcheckin
Tags:32 exe Gh0stCringe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
02b29a12ebf1b0b08ce33918d059882a
Verdict:
No threats detected
Analysis date:
2021-10-01 19:12:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b1e96026-3afb-45a7-9d07-e62c9b7a0ca0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194008/
Detection(s):
Win.Trojan.Mikey-9769164-0
Create hunting rule

Win.Malware.Farfli-9832713-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 directory
Creating a service
Launching a service
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82bbf02c-783a-4575-bce6-c1f383859301
Result
Threat name:
Gh0stCringe
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862743
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Creates a Windows Service pointing to an executable in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Gh0stCringe
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495171 Sample: lbm7CagbtD Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 37 Antivirus detection for dropped file 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 7 svchost.exe 2->7         started        10 svchost.exe 1 2->10         started        13 lbm7CagbtD.exe 3 2 2->13         started        15 10 other processes 2->15 process3 dnsIp4 45 Checks if browser processes are running 7->45 47 Contains functionality to detect sleep reduction / modifications 7->47 25 C:\Windows\SysWOW64\CYSRDSL.exe, PE32 10->25 dropped 49 Drops executables to the windows directory (C:\Windows) and starts them 10->49 18 CYSRDSL.exe 10->18         started        27 C:\Windows\SysWOW64\6091640.txt, PE32 13->27 dropped 51 Creates a Windows Service pointing to an executable in C:\Windows 13->51 35 127.0.0.1 unknown unknown 15->35 53 Changes security center settings (notifications, updates, antivirus, firewall) 15->53 21 MpCmdRun.exe 1 15->21         started        file5 signatures6 process7 dnsIp8 29 404xh.com 47.94.142.203, 10086 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 18->29 31 caiyundf.cn 103.45.185.68, 3167 CHINANET-LIAONING-DALIAN-MANCHINANETLiaoningprovinceDali China 18->31 33 192.168.2.1 unknown unknown 18->33 23 conhost.exe 21->23         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4853453ba12dde157cec10692eb874f34f333a6ccfb0782bf36ba2c3a57713dc/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 14:53:55 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
28c67cdcd4523ca934a1b72c6c8f5ed39874b6b8f66e3f679cb1095f859f6e83
Gh0stCringe
3eabf4e909e889bfcb994a36d041ced30c30a377a6a0d6057eda4b8f35f4ca0e
Gh0stCringe
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
Gh0stCringe
727bc43e3d9cdf3e79c2232cf3f647bdf94ad2012c31403434c17e5bbeb3c339
Gh0stCringe
7e6b769afc67e5e76904920f69a8d31475576ee4dc3411379efa665de38f7697
Gh0stCringe
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
Gh0stCringe
acaed16a37962b29231a2b0842b616000656a12ff66ce41830ca855a207fc5dc
Gh0stCringe
c973c31f8af3d15abb5963e2764f534e5263828320e9c15e57c953392c32ce65
Gh0stCringe
e7c3f20e293112d02c667e098467572371107a5316ffdf4434dea2e490434771
Gh0stCringe
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211001-q3jx7abhf8/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Sets DLL path for service in the registry
Unpacked files
SH256 hash:
4853453ba12dde157cec10692eb874f34f333a6ccfb0782bf36ba2c3a57713dc
MD5 hash:
02b29a12ebf1b0b08ce33918d059882a
SHA1 hash:
468792ac4238de6340b53c1dac05ab3ff594d29f
Link:
https://www.unpac.me/results/d7ed57fe-2540-4b5f-a644-6e50f2aa12d5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4853453ba12d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4853453ba12dde157cec10692eb874f34f333a6ccfb0782bf36ba2c3a57713dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stCringe

Executable exe 4853453ba12dde157cec10692eb874f34f333a6ccfb0782bf36ba2c3a57713dc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1650428/
Cape
Cape
https://www.capesandbox.com/analysis/194008/

Comments


Avatar
zbet commented on 2021-10-01 13:46:26 UTC

url : hxxp://103.45.185.68:6358/3306.exe