MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b
SHA3-384 hash: bade6d7b8ffd2fb5d7e5f65e9cbfb62f688a17884aca1c06e1266bdf3c12b2fae3a82b9921a7e7e540e55972ce7214a8
SHA1 hash: acc808accbb6897da328a1def679b42e198bf9e0
MD5 hash: 8b1b9af08bc62e4608d21b5568c0a581
humanhash: quebec-virginia-mockingbird-shade
File name:WPS办公软件 v76.23.66.msi
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:9'958'912 bytes
First seen:2024-07-17 15:08:41 UTC
Last seen:2024-07-24 14:00:45 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:nWxLkNZONFiVDfWpugrukEa3bwQLWnhLQusRQR7p+2+E:nELkNZONFMUFruxoNazsRO7pJt
Threatray 1 similar samples on MalwareBazaar
TLSH T10CA6022671DAC636EB7F8630657ADB3A21BA7BE20BB150CB63C01D2A0E745C11275F17
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter vm001cn
Tags:Gh0stRAT msi signed

Code Signing Certificate

Organisation:JadeSky Quadtech Innovation Institute Co., Ltd.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-21T06:53:03Z
Valid to:2024-12-21T06:53:03Z
Serial number: 13571f806046e2caf0de480f
Thumbprint Algorithm:SHA256
Thumbprint: 86dd880256024050164f0d096d816c47565ec383c86dd3606486f581079f5466
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
81
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.43328.4835.30075.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6697de94936dc865ddc74e2d
Tags:
Other Stealth Trojan
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b
Result
Threat name:
FatalRAT, GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1475158
Signature
AI detected suspicious sample
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Yara detected FatalRAT
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475158 Sample: WPS#U529e#U516c#U8f6f#U4ef6... Startdate: 17/07/2024 Architecture: WINDOWS Score: 100 54 collect.installeranalytics.com 2->54 56 shuc-pc-snow.ksord.com 2->56 58 3 other IPs or domains 2->58 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Yara detected FatalRAT 2->64 66 3 other signatures 2->66 7 msiexec.exe 12 63 2->7         started        11 thelper.exe 2 2->11         started        13 WPS.exe 2 1 2->13         started        15 3 other processes 2->15 signatures3 process4 file5 36 C:\Windows\Installer\MSI706F.tmp, PE32 7->36 dropped 38 C:\Windows\Installer\MSI704E.tmp, PE32 7->38 dropped 40 C:\Users\user\AppData\Roaming\WPS.exe, PE32 7->40 dropped 44 29 other files (1 malicious) 7->44 dropped 70 Drops executables to the windows directory (C:\Windows) and starts them 7->70 17 msiexec.exe 64 7->17         started        22 msiexec.exe 4 7->22         started        24 MSI704E.tmp 7->24         started        26 MSI706F.tmp 7->26         started        42 C:\Users\user\AppData\Local\thelper.exe, PE32 11->42 dropped 72 Found API chain indicative of debugger detection 11->72 28 thelper.exe 11->28         started        74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->74 30 WPS.exe 4 11 13->30         started        signatures6 process7 dnsIp8 46 collect.installeranalytics.com 54.224.49.0, 49733, 80 AMAZON-AESUS United States 17->46 32 C:\Users\user\AppData\Local\...\shi5FD6.tmp, PE32 17->32 dropped 34 C:\Users\user\AppData\Local\...\shi5E8D.tmp, PE32 17->34 dropped 68 Query firmware table information (likely to detect VMs) 17->68 48 dw-online.ksosoft.com 116.181.3.214, 49734, 49735, 80 UNICOM-CNChinaUnicomIPnetworkCN China 30->48 50 klbv2.wpsdns.com 119.3.210.249, 443, 49743 HWCSNETHuaweiCloudServicedatacenterCN China 30->50 52 shuc-pc-snow.ksord.com 110.249.194.76, 49736, 80 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 30->52 file9 signatures10
Score:
75%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b/
Threat name:
Binary.Exploit.Marte
Create hunting rule
Status:
Malicious
First seen:
2024-07-17 15:09:07 UTC
File Type:
Binary (Archive)
Extracted files:
213
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpzt2vjr7yyzx3j5cvigbdpnmuxpnnjeg63mzfgupigtrd23wa5q._file
Verdict:
unknown
Similar samples:
4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b
Gh0stRAT
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:fatalrat family:gh0strat bootkit infostealer persistence rat upx
Link:
https://tria.ge/reports/240717-sjfgrswdkp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Blocklisted process makes network request
Enumerates connected drives
Writes to the Master Boot Record (MBR)
UPX packed file
Fatal Rat payload
FatalRat
Gh0st RAT payload
Gh0strat
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3110c6d4-6870-45d0-97d6-dd4be1a434b1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments