MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49fe889b5081ebb969a26d2eecab566c2ccad3972ee21513fe61994110267714. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49fe889b5081ebb969a26d2eecab566c2ccad3972ee21513fe61994110267714
SHA3-384 hash: d341e070697e102563a50470c212f4f53829627e8c167a6d49c3026e7ecad5783190579349d1b7e51954a6bff2b7e83a
SHA1 hash: 8b190233cba587ba6ea0f33931808f71680966bc
MD5 hash: 7ff45c97d89778aebf8d0f41a48527f5
humanhash: coffee-william-item-batman
File name:7ff45c97d89778aebf8d0f41a48527f5.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:57'405 bytes
First seen:2022-11-08 06:25:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e58ab46f2a279ded0846d81bf0fa21f7 (7 x Nitol, 5 x Gh0stRAT, 3 x ZeuS)
ssdeep 768:WiuuULGFeOwBH5UQNY9fzu7/mqFBPkLe1+ETbfyXrLEyqUbAju/SfpqrZA/c89c:pRUaFevZUQC9C7OWBckWxbAKKfu+vc
Threatray 50 similar samples on MalwareBazaar
TLSH T12543F1D987626C44ECC305B10796237B66C6CB6CCB3E1B394E5D4E5EBC022A07B47A6C
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
183.236.2.18:8084

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7ff45c97d89778aebf8d0f41a48527f5.exe
Verdict:
Malicious activity
Analysis date:
2022-11-08 06:28:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d819fee8-6b8a-4de1-b02a-5b84607773f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330362/
Detection(s):
PUA.Win.Packer.Anti-28
Create hunting rule

PUA.Win.Packer.Anti-29
Create hunting rule

PUA.Win.Packer.Nspack-34
Create hunting rule

PUA.Win.Packer.Nspack-21
Create hunting rule

PUA.Win.Packer.Nspack-25
Create hunting rule

PUA.Win.Packer.Nspack-22
Create hunting rule

SecuriteInfo.com.PSW.OnlineGames.AA.12714.15054.32259.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the Windows subdirectory
Creating a service
Replacing files
Launching a service
DNS request
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6369f6791b78baadf87fa15f/reports/bfa4b306-cf12-4ae5-b924-6c33f035e55a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Gh0st RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f261035-452e-455f-998c-5ee232667808
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107962
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to detect sleep reduction / modifications
Creates a Windows Service pointing to an executable in C:\Windows
Deletes itself after installation
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 740622 Sample: jpxNkiEhsl.exe Startdate: 08/11/2022 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for dropped file 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 6 other signatures 2->38 7 jpxNkiEhsl.exe 1 3 2->7         started        11 svchost.exe 1 2->11         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 process3 dnsIp4 22 FastUserSwitchingC...bilityex.dll (copy), PE32 7->22 dropped 24 C:\Users\user\AppData\Local\...\release.tmp, PE32 7->24 dropped 26 C:\Users\user\AppData\...\dll.tmp (copy), PE32 7->26 dropped 40 Contains functionality to change the desktop window for a process (likely to hide graphical interactions) 7->40 42 Checks if browser processes are running 7->42 44 Creates a Windows Service pointing to an executable in C:\Windows 7->44 46 Contains functionality to detect sleep reduction / modifications 7->46 28 wltt.3322.org 183.236.2.18, 49697, 49700, 8084 CMNET-GUANGDONG-APChinaMobilecommunicationscorporation China 11->28 48 System process connects to network (likely due to code injection or exploit) 11->48 50 Found stalling execution ending in API Sleep call 11->50 52 Deletes itself after installation 11->52 54 Changes security center settings (notifications, updates, antivirus, firewall) 14->54 18 MpCmdRun.exe 1 14->18         started        30 192.168.2.1 unknown unknown 16->30 56 Query firmware table information (likely to detect VMs) 16->56 file5 signatures6 process7 process8 20 conhost.exe 18->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49fe889b5081ebb969a26d2eecab566c2ccad3972ee21513fe61994110267714/
Threat name:
Win32.Infostealer.OnlineGames
Create hunting rule
Status:
Malicious
First seen:
2011-05-31 21:18:00 UTC
File Type:
PE (Exe)
AV detection:
36 of 41 (87.80%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jh7irg2qqhv3s2ncnuxozk2wnqwmvu4xf3rbke76mgmucebgo4ka._file
Verdict:
malicious
Similar samples:
0e723b24c00d40e82c3040be920ea71fa0c8f868d009f66310250f7286eeb3c7
Gh0stRAT
3dc6f7b7778c8ecdc72aa4bf34932f6806197fd3746afd720e2deff49206ab40
Gh0stRAT
83fbbd31e43ad25a8921c98d97b287ebc8902451f7647c2266e5f0688471e8b6
Gh0stRAT
8b2737b9bcdf1165a19175c93619a6b659383b481ac0e83a5f361bc18bc69357
Gh0stRAT
e76f937ea4d7c2d08d0c6324b6e2ab00173093e005dc87f3713c2c3af7d60675
Gh0stRAT
+ 40 additional samples on MalwareBazaar
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat persistence rat
Link:
https://tria.ge/reports/221108-g66rpabha8/
Behaviour
Checks processor information in registry
Suspicious behavior: LoadsDriver
Drops file in System32 directory
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Sets DLL path for service in the registry
Sets service image path in registry
Gh0st RAT payload
Gh0strat
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f80f9c6f-7633-4aa6-933b-7ec1a2546132
Unpacked files
SH256 hash:
253c4ba6298bcea804d91dd83d285816de8d6811dc2af156e4970bd396fedde4
MD5 hash:
0d6d8c92239de95ce61a0e0ac5dcf1dc
SHA1 hash:
7f617845aee5eabfa2a48c48c79bf359b51edfea
Link:
https://www.unpac.me/results/95ff6919-485a-483e-8113-c47a68b59232/
SH256 hash:
4d89f35054fefde8b93c6ff57c1f31ae68136c4f3a6a0ee278ef2ae7cf34b8de
MD5 hash:
cf4e83c8c8b2022be68d64383271b025
SHA1 hash:
80c3f4d4ac38ab03192bdcc548facd5076f2e95f
Link:
https://www.unpac.me/results/95ff6919-485a-483e-8113-c47a68b59232/
SH256 hash:
49fe889b5081ebb969a26d2eecab566c2ccad3972ee21513fe61994110267714
MD5 hash:
7ff45c97d89778aebf8d0f41a48527f5
SHA1 hash:
8b190233cba587ba6ea0f33931808f71680966bc
Link:
https://www.unpac.me/results/95ff6919-485a-483e-8113-c47a68b59232/
Malware family:
Gh0st RAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49fe889b5081/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49fe889b5081ebb969a26d2eecab566c2ccad3972ee21513fe61994110267714

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330362/

Comments