MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5347fdd91d9ff6a79f65acce957ae89ef40e8503c49792a24072f1321bec3d2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5347fdd91d9ff6a79f65acce957ae89ef40e8503c49792a24072f1321bec3d2f
SHA3-384 hash: 21cfd71341738f170f8d55918390692c84dbaed5d885c436aa9ac9b141d2e74ed3f7c864f186cd0e112ba21c63d2ae8c
SHA1 hash: b860f02ec87a93685f38ca5aaf9e4054f3bbd560
MD5 hash: 9d67e1c70d3bd1cd272b89c2da1d1025
humanhash: twenty-alabama-carbon-berlin
File name:9d67e1c70d3bd1cd272b89c2da1d1025.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:156'461 bytes
First seen:2022-02-17 02:31:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dc55f70c806d53cf7af9f7f3cd8ee9c (1 x Gh0stRAT)
ssdeep 3072:D2H9BwwfdtG79onTCBvqYzVKBaUi5zNy7oidb2bB:iH9BwOdSSkKk1x4kid2
Threatray 25 similar samples on MalwareBazaar
TLSH T11CE37D02F68540FAF5B5113C58AB7B3AD63BBDA09B095E837724EE790833511BB1634B
File icon (PE):PE icon
dhash icon e0e4a2aaa4b8a888 (10 x DarkWatchman, 5 x SnakeKeylogger, 5 x Formbook)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
183.236.2.18:8000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
183.236.2.18:8000 https://threatfox.abuse.ch/ioc/388288/

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242105/
Detection(s):
Win.Trojan.Redosdru-9875198-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Windows subdirectory
Launching a process
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a tool to kill processes
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f75c5859-24e4-414e-84b2-8b06c4f51af0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941305
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573780 Sample: JcFFTf55hH.exe Startdate: 17/02/2022 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for dropped file 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 6 other signatures 2->38 7 JcFFTf55hH.exe 1 1 2->7         started        process3 file4 26 C:\Program Files (x86)\wi6295328nd.temp, PE32 7->26 dropped 28 C:\WINDOWS\Temp\33257 (copy), PE32 7->28 dropped 10 rundll32.exe 7->10         started        14 taskkill.exe 1 7->14         started        16 taskkill.exe 1 7->16         started        18 taskkill.exe 1 7->18         started        process5 dnsIp6 30 yctou.3322.org 183.236.2.18, 8000 CMNET-GUANGDONG-APChinaMobilecommunicationscorporation China 10->30 40 System process connects to network (likely due to code injection or exploit) 10->40 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5347fdd91d9ff6a79f65acce957ae89ef40e8503c49792a24072f1321bec3d2f/
Threat name:
Win32.Infostealer.Magania
Create hunting rule
Status:
Malicious
First seen:
2011-10-18 05:37:00 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
36 of 43 (83.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=knd73wi5t73kph3fvthjk6xit32a5bidyslzfisaolyteg7mhuxq._file
Verdict:
malicious
Similar samples:
129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92
Gh0stRAT
28c67cdcd4523ca934a1b72c6c8f5ed39874b6b8f66e3f679cb1095f859f6e83
Gh0stRAT
6e025a1d72e2abfb9c0fb6c945d3fcdbe2124c5d68d8f5fb09b8389bc30f799e
Gh0stRAT
727bc43e3d9cdf3e79c2232cf3f647bdf94ad2012c31403434c17e5bbeb3c339
Gh0stRAT
8b79dcff7e5007961448d9baeb7fa7ef65c399166b5250c982084b22899466cb
Gh0stRAT
935e889d242191efcd783fc0a72a3a1f8881314c39df20a5418ef66f306d080b
Gh0stRAT
d3501787751324e615bd13ed80417360fbd7558385662ac34c51b34802f9b9d4
Gh0stRAT
f836093baf3255830126881722dc2edd86fd615fc922f86d177b0ccb0e3d2941
Gh0stRAT
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220217-c1a1lsgad6/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
10bc4f46a2fbca385c4217a3f11382bb7be88f9064d6d3fc73db7289292e26d8
MD5 hash:
d86ed1a776ba80301db418fce5a46fca
SHA1 hash:
ac9e771d5e03d33601dd10e7d963c160c4a523ef
Link:
https://www.unpac.me/results/929e691a-e608-4c62-a2f9-d232b2443bc8/
SH256 hash:
5347fdd91d9ff6a79f65acce957ae89ef40e8503c49792a24072f1321bec3d2f
MD5 hash:
9d67e1c70d3bd1cd272b89c2da1d1025
SHA1 hash:
b860f02ec87a93685f38ca5aaf9e4054f3bbd560
Link:
https://www.unpac.me/results/929e691a-e608-4c62-a2f9-d232b2443bc8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5347fdd91d9ff6a79f65acce957ae89ef40e8503c49792a24072f1321bec3d2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GhostDragon_Gh0stRAT
Create hunting rule
Author:Florian Roth
Description:Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:https://blog.cylance.com/the-ghost-dragon
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination manipulating RDP / Terminal Services

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242105/

Comments