MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 32 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
SHA3-384 hash: 8461d61fe087d0a0d4977f4b64694f91a0f43b15e78994a25b3447e2280aad7d27289cb6e246b2b8da0e5e7d2d868658
SHA1 hash: 418c19800a0cede122698076c3743ceaac998960
MD5 hash: b22d793f384b66717e28b1bfb959296a
humanhash: snake-lake-oxygen-seventeen
File name:56300CA629B9099E6BFCB4BEFCEBEE1141093EB321BE81717AB02D724EAAA81A.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:16'676'356 bytes
First seen:2024-07-24 14:32:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (82 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 393216:6zanXxdNH/h1CPwv3uzXPJqkDVofDGeg3RK:YwXxf/WRDVobdgo
Threatray 110 similar samples on MalwareBazaar
TLSH T15BF6E032B5418862EB56113078E67336DC357DAF88D1CA479F5BBE19CCF21508AFA24E
TrID 77.8% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
6.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
5.0% (.EXE) InstallShield setup (43053/19/16)
4.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
1.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
dhash icon 967369d4c44d7196 (1 x Gh0stRAT)
Reporter Anonymous
Tags:exe Gh0stRAT


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

PUA.Win.Packer.Aspack-29
Create hunting rule

PUA.Win.Packer.Aspack-30
Create hunting rule

PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a110a3ae21d7902eaf9ac1
Tags:
Generic Infostealer Network Stealth Trojan Delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the Windows directory
Creating a process with a hidden window
Searching for the window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd expand fingerprint keylogger lolbin packed packed remote shell32
Link:
https://www.filescan.io/uploads/66a110a68f66298c01f35e98/reports/37663d1f-7468-493b-a7a6-1060b929bc8b/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
Result
Verdict:
MALICIOUS
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bcc3122-b1e6-4f71-85bf-11db3e5f3f0b
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480255
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Creates files in alternative data streams (ADS)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480255 Sample: VaajyQsbTV.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 50 freedns.afraid.org 2->50 52 xred.mooo.com 2->52 54 4 other IPs or domains 2->54 76 Found malware configuration 2->76 78 Antivirus detection for URL or domain 2->78 80 Antivirus detection for dropped file 2->80 84 14 other signatures 2->84 8 VaajyQsbTV.exe 1 6 2->8         started        11 EXCEL.EXE 179 67 2->11         started        14 Synaptics.exe 2->14         started        signatures3 82 Uses dynamic DNS services 50->82 process4 dnsIp5 40 C:\Users\user\...\._cache_VaajyQsbTV.exe, PE32 8->40 dropped 42 C:\ProgramData\Synaptics\Synaptics.exe, PE32 8->42 dropped 44 C:\ProgramData\Synaptics\RCX9677.tmp, PE32 8->44 dropped 46 C:\...\Synaptics.exe:Zone.Identifier, ASCII 8->46 dropped 16 ._cache_VaajyQsbTV.exe 6 8->16         started        20 Synaptics.exe 42 8->20         started        64 s-part-0014.t-0009.t-msedge.net 13.107.246.42, 443, 49804, 49805 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->64 file6 process7 dnsIp8 32 C:\Windows\ShellExperienceHost.exe, PE32 16->32 dropped 34 C:\Users\user\Desktop\libeay32.dll, PE32 16->34 dropped 36 C:\Users\user\Desktop\enyt.dll, PE32 16->36 dropped 66 Antivirus detection for dropped file 16->66 68 Multi AV Scanner detection for dropped file 16->68 70 Machine Learning detection for dropped file 16->70 72 Drops executables to the windows directory (C:\Windows) and starts them 16->72 23 ShellExperienceHost.exe 2 12 16->23         started        28 WerFault.exe 22 16 16->28         started        56 freedns.afraid.org 69.42.215.252, 49729, 80 AWKNET-LLCUS United States 20->56 58 drive.usercontent.google.com 142.250.185.161, 443, 49731, 49732 GOOGLEUS United States 20->58 60 docs.google.com 172.217.16.142, 443, 49722, 49723 GOOGLEUS United States 20->60 38 C:\Users\user\DocumentsbehaviorgraphAOBCVIQIJ\~$cache1, PE32 20->38 dropped 74 Drops PE files to the document folder of the user 20->74 30 WerFault.exe 20->30         started        file9 signatures10 process11 dnsIp12 62 8.130.77.167, 3458, 49713, 49787 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd Singapore 23->62 48 ProgramData:$SS_DE...T98JRFFSPF7VBCVPJGF, data 23->48 dropped 86 Antivirus detection for dropped file 23->86 88 Multi AV Scanner detection for dropped file 23->88 90 Creates files in alternative data streams (ADS) 23->90 92 3 other signatures 23->92 file13 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a/
Threat name:
Win32.Trojan.Synaptics
Create hunting rule
Status:
Malicious
First seen:
2024-07-07 06:52:34 UTC
File Type:
PE (Exe)
Extracted files:
316
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kyyazjrjxeez4274ws7pz27ocfaqspvteg7ic4l2wawxetvkvana._file
Verdict:
malicious
Similar samples:
68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f
Gh0stRAT
69d118fb4175ca4c144fd29b8c9c8a0218cb03da947e0136d36b08b2bd2b652c
Gh0stRAT
bf49053baf8ece7e12575f1e37ce7f0d55592ab87ff18f27af25d11a3923a548
Gh0stRAT
d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
Gh0stRAT
+ 100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
aspackv2 discovery persistence
Link:
https://tria.ge/reports/240724-rwvxjstfpd/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ASPack v2.12-2.42
Checks computer location settings
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fa7dd19b-a281-40a0-ab1d-7a527fedd629
Unpacked files
SH256 hash:
8d41efd690a163c2477cc3b777bc78b78fbd9e09ecc2dfc5e76548fd248719c6
MD5 hash:
fd84c02ab8a411525cb3b6cb60392b5d
SHA1 hash:
994369e18b091ce09d98369d4e6460b29475ff02
Detections:
win_karius_g0
Create hunting rule
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
Parent samples :
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
SH256 hash:
e55aef92cc446dcfeb797f438a079966cc0dfe2f0713bb43c1faaf5d7ee318ca
MD5 hash:
623feff73e9e9bce9d45ba961f2580ca
SHA1 hash:
154cebc6a5e0c5e726cbae3ee2cf634ff85639e0
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
7418eb7b5936bfc67e749fbd20a5cae25904ae854531d8025040803270ddd9ce
MD5 hash:
4b746a0d5312728575abc076051a42f2
SHA1 hash:
40c78f9d62cb6d31a3927a70f85c398e720b7ead
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
d6fe6ce0850de52e48e237d703a93653ea2efec6f71b1058b15a91bd4f954c8b
MD5 hash:
8da17cf3ece371965f96034f38801f71
SHA1 hash:
b89013249596a547e0899ceee81b15fd14038382
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
ec25bd63fa5f2f74f8ac02606eccc5751975bc5b4f622303a8b3b342a72fc4a4
MD5 hash:
8b3d81f68e29ecf293521d9800c257e4
SHA1 hash:
95ba90cc9a3ec64f37ff4b189124ba8271840627
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
aabc85a22d011405c3ce6f57589d90f5cbd709ad95df5b9de07624969201bce0
MD5 hash:
e974f11ba59df2179f05065dc89b051d
SHA1 hash:
421f69b34643405d829862334b4e339f1b996821
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
eb39ef6f2f2548ad0b5e412dc3f70089f113d9ceaf8ecbff5fe0583f3bca759e
MD5 hash:
dc8f4ca2ff63885548d1d9c6cbebc0f5
SHA1 hash:
3d6b368d3df3950dcf6b06537ffd622fb020ab32
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
bff09c7fa13c6f9e404d935faca65c03254fd9660b2cad704a4c9ef9b90fae34
MD5 hash:
8bf24a6586c5306879a7e48bf0fbc916
SHA1 hash:
360b03ba3f68671a3f8fc8457b0eeed696e1f33c
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
23462d1aba3e25cfd8ac57c54d6409cd0c7ba7a49e9d8687a18b47011e40d22b
MD5 hash:
15fd6fab205972433cfe597a13dba827
SHA1 hash:
17fdd2bac731e54b3f37b6f6db6773fe6170f3c9
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
cabec992dd72fd15d141ba2d1de760dad29344c1e204a93b15b96f8e83c783b3
MD5 hash:
df5e4b4f37d94b754c174b80491858cb
SHA1 hash:
3727af3792d2148d696492aa4d7a05ee7a20f694
Detections:
INDICATOR_EXE_Packed_ASPack
Create hunting rule
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
Parent samples :
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
82852a6f778c15c9f0a0ec11e5538b990753463d50fc70b14128bb42f8f80466
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
b3a6805182f053f098f6e38dc1cc5a906383b8d00cbf2f0af68377e7ebd65f22
b10e357e2c94e48cfc90656a2da338a74820814ec4b98cc70cf7af08b0a70280
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
0ccc2ac1a9bc646a17ded5de53b3d379bba248fdd1917fb07c28b593fa88828b
MD5 hash:
2d32995e90ef5596018a1a851a5d62aa
SHA1 hash:
dd3966dd7a157ef9a658408cef81692fe27b9353
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
SH256 hash:
56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
MD5 hash:
b22d793f384b66717e28b1bfb959296a
SHA1 hash:
418c19800a0cede122698076c3743ceaac998960
Link:
https://www.unpac.me/results/4dd86423-74ab-4456-9f80-7a0c5cabaee3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56300ca629b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_indirect_function_call_3
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gh0stRAT

Executable exe 56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
kernel32.dll::CloseHandle
wininet.dll::InternetCloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileA
kernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegNotifyChangeKeyValue
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::OpenSCManagerA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments