MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MimiKatz

Vendor detections: 16

Intelligence 16 IOCs YARA 22 File information Comments

SHA256 hash:	5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
SHA3-384 hash:	b9e71bcaefa3d2148fad500da4ce2f51eb116edd54ce6d7244a99ca2257001c574789db2143eff99f9c72570f2c5e897
SHA1 hash:	9fe8436f8e1f6198b883404f0b59256b4f08bbed
MD5 hash:	2a5f4c6d957f37ecea115fffe6d28467
humanhash:	cola-london-whiskey-fanta
File name:	SecuriteInfo.com.Win32.RATX-gen.24533.28061
Download:	download sample
Signature	MimiKatz Create hunting rule
File size:	2'138'112 bytes
First seen:	2024-04-24 10:28:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	703074f7e4b33aefff112f419dacba1a (1 x MimiKatz)
ssdeep	49152:aVhyh5fVd/kOz40n4OdaVZsNz/Trp/HfaBa4kRQaddfZL17N:LY4rn4OdYiH9Qa/RLz
TLSH	T118A5DF45AC9FE0BEFD3D8538D006D6485823F46AB45868ED9AC8671434E276360BFF1E
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	c8c971a14d8e96aa (1 x MimiKatz)
Reporter	SecuriteInfoCom
Tags:	exe mimikatz

Intelligence

File Origin

# of uploads :

# of downloads :

332

Origin country :

Vendor Threat Intelligence

Malware family:

gh0st

ID:

File name:

5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8.exe

Verdict:

Malicious activity

Analysis date:

2024-04-24 10:28:47 UTC

Tags:

remote rat gh0st gh0stcringe

Link:

https://app.any.run/tasks/0d7951fa-084a-4500-a83d-45c4f43c8842

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the Windows subdirectories

Enabling the 'hidden' option for recently created files

Creating a service

Launching a service

Creating a process from a recently created file

Launching cmd.exe command interpreter

Creating a process with a hidden window

Launching a process

Enabling autorun for a service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm farfli hook installer lolbin packed packed safengine_shielden shell32

Link:

https://www.filescan.io/uploads/6628defbd2fc149e411bc4f3/reports/c8baf29d-d573-447b-8434-8af9153ac8af/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9595f917-8180-4590-9757-dc3ac7c4152b

Result

Threat name:

GhostRat, Mimikatz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1430960

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Contains functionality to modify windows services which are used for security filtering and protection

Detected unpacking (changes PE section rights)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Tries to detect virtualization through RDTSC time measurements

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected GhostRat

Yara detected Mimikatz

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2024-04-23 10:43:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kbmnq2oftp5tjagr3rxy6uorsgw3readtse77h6wnd7hwsaqtg4a._file

Verdict:

malicious

Result

Malware family:

purplefox

Score:

10/10

Tags:

family:gh0strat family:purplefox persistence rat rootkit trojan

Link:

https://tria.ge/reports/240424-mh8h9sgg82/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates connected drives

Deletes itself

Executes dropped EXE

Drops file in Drivers directory

Sets service image path in registry

Detect PurpleFox Rootkit

Gh0st RAT payload

Gh0strat

PurpleFox

Unpacked files

SH256 hash:

e729e0d5037e20f78e1b9665ca29e6355c6f80ae1c6078135c8b5eac4549c4f7

MD5 hash:

78d82a5020250476fa22b2bf47ec2834

SHA1 hash:

4291ce7e33e5c75f10c19308dd79772da45f2b45

Detections:

INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess

check_installed_software

Mimikatz_Strings

Hidden

MALWARE_Win_PCRat

INDICATOR_TOOL_RTK_HiddenRootKit

potential_termserv_dll_replacement

Link:

https://www.unpac.me/results/d533222f-4f45-4b73-be45-6a3fed295460/

Parent samples :

5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b

SH256 hash:

5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8

MD5 hash:

2a5f4c6d957f37ecea115fffe6d28467

SHA1 hash:

9fe8436f8e1f6198b883404f0b59256b4f08bbed

Link:

https://www.unpac.me/results/d533222f-4f45-4b73-be45-6a3fed295460/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5058d869c59b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Armadillov1xxv2xx Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Hidden Create hunting rule
Author:	@bartblaze
Description:	Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:	https://github.com/JKornev/hidden

Rule name:	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess Create hunting rule
Author:	ditekSHen
Description:	Detects executables calling ClearMyTracksByProcess

Rule name:	INDICATOR_TOOL_RTK_HiddenRootKit Create hunting rule
Author:	ditekSHen
Description:	Detects the Hidden public rootkit

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_PCRat Create hunting rule
Author:	ditekSHen
Description:	Detects PCRat / Gh0st

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	Mimikatz_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Mimikatz_Strings_RID2DA0 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Trojan_Gh0st_ee6de6bc Create hunting rule
Author:	Elastic Security
Description:	Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
WIN_REG_API	Can Manipulate Windows Registry	MFC42.DLL::RegDeleteKeyA MSVCRT.dll::RegDeleteKeyA KERNEL32.dll::RegDeleteKeyA USER32.dll::RegDeleteKeyA GDI32.dll::RegDeleteKeyA COMCTL32.dll::RegDeleteKeyA MSVCP60.dll::RegDeleteKeyA IPHLPAPI.DLL::RegDeleteKeyA PSAPI.DLL::RegDeleteKeyA ADVAPI32.dll::RegDeleteKeyA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample