MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b1cbe3c6360f552e8cdc80541ec950311ba0d5f079d1e67f3c27fe132fcec3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b1cbe3c6360f552e8cdc80541ec950311ba0d5f079d1e67f3c27fe132fcec3b
SHA3-384 hash: d6a5c9dfd0ae2d602ca1c1e56f374d1bfb6bf38c4a194ec7b8dbfcd03a6a2e71a6f220f895ef5b46347bb179ba1045ab
SHA1 hash: d7c9b609a1b9fa215b25e99f43b311a77f20fea0
MD5 hash: 819c5d55396be338b152f90f7558d585
humanhash: kilo-stairway-bravo-queen
File name:sym.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'227'776 bytes
First seen:2025-02-17 06:53:16 UTC
Last seen:2025-02-17 08:44:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f630e23d658d7bb415c7b79249bddb8b (1 x Gh0stRAT)
ssdeep 12288:YKWeBTKifc39cWyOcm57CrPo2iWnLvZkRh9qWnPHjdL5I6Cmd6qKGlR7LcftI:Yw5KisCrPoOjm4WPHZ5I6Cmd6qKIa1
Threatray 6 similar samples on MalwareBazaar
TLSH T1DA45810A2E9D2C59CBA2D336C266D2D39EE9D795804F8394D988F7D80019553FCE62FC
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon f0968ee8aae8e8b2 (9 x Urelas, 5 x HermeticWiper, 4 x Starcat)
Reporter skocherhan
Tags:exe Gh0stRAT


Avatar
skocherhan
http://69.165.65.24:8888/sym.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
509
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
gh0st
Create hunting rule
ID:
1
File name:
sym.exe
Verdict:
Malicious activity
Analysis date:
2025-02-17 06:58:23 UTC
Tags:
gh0st rat
Link:
https://app.any.run/tasks/95ba6e03-df36-46b3-afc0-e6f3d2097486

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen30.25769.17275.7506.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b2de4d28ab76d43a5b6b34
Tags:
dropper shell madi sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Program Files subdirectories
Enabling the 'hidden' option for recently created files
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Enabling autorun for a service
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/4b1cbe3c6360f552e8cdc80541ec950311ba0d5f079d1e67f3c27fe132fcec3b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/39ff9e0a-782b-48ce-b5e3-9a2181b76f79
Result
Threat name:
GhostRat, Mimikatz
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1616761
Signature
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Suricata IDS alerts for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected GhostRat
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4b1cbe3c6360f552e8cdc80541ec950311ba0d5f079d1e67f3c27fe132fcec3b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b1cbe3c6360f552e8cdc80541ec950311ba0d5f079d1e67f3c27fe132fcec3b/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2025-02-17 06:54:12 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmol4pddmd2vf2gnzacud3evami3udk7a6or4z7tyj76cmx45q5q._file
Verdict:
malicious
Label(s):
gh0strat
Create hunting rule
Similar samples:
0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b
Gh0stRAT
d5b97d4be78dd6e6795c7e5376faeeaa58ac0b40629ea67291f223d42f19553a
Gh0stRAT
error
Gh0stRAT
f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd
Gh0stRAT
f63ebd6d6e67793c1f3cb27d146d16b4894149f2ec282bdbff387a5730692b5b
Gh0stRAT
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250217-hn97tsvjbx/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Deletes itself
Executes dropped EXE
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec297bf1-eeac-45f3-9bea-be02163ff133
Unpacked files
SH256 hash:
4b1cbe3c6360f552e8cdc80541ec950311ba0d5f079d1e67f3c27fe132fcec3b
MD5 hash:
819c5d55396be338b152f90f7558d585
SHA1 hash:
d7c9b609a1b9fa215b25e99f43b311a77f20fea0
Link:
https://www.unpac.me/results/88da3e65-76e0-4a95-83c0-7348edee47fe/
SH256 hash:
9f4e614f8da2231e45d118ae81828e0dc85fb41d97635951bea5b6a8e58b7373
MD5 hash:
fb73bc2a9920af04fa6e0174c06bd04d
SHA1 hash:
1b95e4502086ea664dc454d9de67a8fdfe820c29
Detections:
Mimikatz_Strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_Zegost
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
check_installed_software
Create hunting rule
Link:
https://www.unpac.me/results/88da3e65-76e0-4a95-83c0-7348edee47fe/
Parent samples :
f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd
4b1cbe3c6360f552e8cdc80541ec950311ba0d5f079d1e67f3c27fe132fcec3b
69ada5ba27acac423073b251d25fc23b09e4d5127f879d07a0c4ae01366ce8a5
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Create hunting rule
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 4b1cbe3c6360f552e8cdc80541ec950311ba0d5f079d1e67f3c27fe132fcec3b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3442711/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsapi-ms-win-crt-runtime-l1-1-0.dll::_get_wide_winmain_command_line

Comments