MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd
SHA3-384 hash: bcf7a11da2a9349878afd0a896548371bcf93213c7a97615e87af0fc2d9382b4676a02a25551bc4d2d2a60570d25b572
SHA1 hash: 61c4e925d54b4e85564abb2a233b976306ee4e74
MD5 hash: f9f5342074462fa1048fea806eef535f
humanhash: aspen-pip-crazy-india
File name:f9f5342074462fa1048fea806eef535f
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:265'216 bytes
First seen:2024-06-29 06:03:18 UTC
Last seen:2025-02-21 21:36:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3b3dc2709d13b6bbe20eb1df71d207fa (1 x Gh0stRAT)
ssdeep 6144:r+k9IKKJPa1DyKHC055swEUkezQ12rqyFWaiwV:ik9IKKJip9C0kmzQ12rqyQaX
TLSH T1FB4423B9277F8093D257803F653DDA517589F5E1004AC7EE812A071ADE327FEE689831
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4504/4/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe Gh0stRAT UPX

Intelligence

File Origin
# of uploads :
2
# of downloads :
435
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TQ.exe
Verdict:
Malicious activity
Analysis date:
2024-06-29 20:22:58 UTC
Tags:
loader evasion upx blackmoon
Link:
https://app.any.run/tasks/789bb7ae-3e95-435a-95c7-40983bbfc652

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Tiggre-9845940-0
Create hunting rule

Win.Tool.Printspoofer-10016376-0
Create hunting rule

Win.Malware.Printspoofer-10016377-0
Create hunting rule

Win.Trojan.Lazy-10031882-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667fa40e17db6c2841b23015win10vpnfull_triage
Tags:
Network Static Stealth Trojan Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Launching a service
Launching a process
Creating a window
Connection attempt to an infection source
Adding an access-denied ACE
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP GET request
Creating a service
Searching for synchronization primitives
Launching the process to change network settings
Launching the process to change the firewall settings
Possible injection to a system process
Enabling autorun for a service
Enabling autorun
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypto hook keylogger lolbin microsoft_visual_cc monero packed packed packed powershell shell32 upx
Link:
https://www.filescan.io/uploads/667fa3d30bf5978c0b1355d2/reports/f6153710-7e94-413c-ac17-510d550408a5/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KRBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c75f63d-edb3-46e1-9404-32f561a2972b
Result
Threat name:
BlackMoon, DoublePulsar, ETERNALBLUE, Gh
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1464591
Signature
Adds new windows firewall policy
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to modify windows services which are used for security filtering and protection
Creates a Windows Service pointing to an executable in C:\Windows
Creates files in the system32 config directory
Downloads files with wrong headers with respect to MIME Content-Type
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of sandbox detection
Found evasive API chain checking for user administrative privileges
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected BlackMoon Ransomware
Yara detected DoublePulsar
Yara detected ETERNALBLUE
Yara detected Generic Downloader
Yara detected GhostRat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464591 Sample: 38iGnQnL33.exe Startdate: 29/06/2024 Architecture: WINDOWS Score: 100 78 www.4i7i.com 2->78 80 www.362-com.com 2->80 82 4 other IPs or domains 2->82 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 16 other signatures 2->98 8 svchost.exe 2->8         started        12 MpMgSvc.exe 2 26 2->12         started        15 38iGnQnL33.exe 1 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 58 C:\Windows\Temp\ctfmoon.exe, PE32 8->58 dropped 60 C:\Windows\SysWOW64\config\...\64[1].jpg, PE32+ 8->60 dropped 72 113 other files (15 malicious) 8->72 dropped 112 System process connects to network (likely due to code injection or exploit) 8->112 114 Creates files in the system32 config directory 8->114 116 Found API chain indicative of sandbox detection 8->116 134 5 other signatures 8->134 19 ctfmoon.exe 8->19         started        22 Traffmonetizer.exe 8->22         started        25 svchost.exe 8->25         started        36 13 other processes 8->36 86 members.3322.org 12->86 88 opendata.baidu.com 12->88 90 111 other IPs or domains 12->90 62 C:\Windows\Temp\zlib1.dll, PE32 12->62 dropped 64 C:\Windows\Temp\xdvl-0.dll, PE32 12->64 dropped 66 C:\Windows\Temp\x86.dll, PE32 12->66 dropped 74 19 other malicious files 12->74 dropped 118 Connects to many different private IPs via SMB (likely to spread or exploit) 12->118 120 Connects to many different private IPs (likely to spread or exploit) 12->120 122 Drops executables to the windows directory (C:\Windows) and starts them 12->122 27 Wmicc.exe 12->27         started        68 C:\Users\user\Desktop\MSSQLH.exe, PE32 15->68 dropped 124 Found evasive API chain checking for user administrative privileges 15->124 29 MSSQLH.exe 1 1 15->29         started        70 C:\Windows\SysWOW64\...behaviorgraphraphicsPerfSvcs.dll, PE32 17->70 dropped 126 Creates a Windows Service pointing to an executable in C:\Windows 17->126 128 Uses netsh to modify the Windows network and firewall settings 17->128 130 Adds new windows firewall policy 17->130 32 netsh.exe 17->32         started        34 netsh.exe 17->34         started        38 10 other processes 17->38 file6 132 Uses dynamic DNS services 86->132 signatures7 process8 dnsIp9 40 conhost.exe 19->40         started        84 blnc.traffmonetizer.com 144.76.194.78 HETZNER-ASDE Germany 22->84 100 Creates files in the system32 config directory 22->100 102 System process connects to network (likely due to code injection or exploit) 25->102 76 C:\Windows\Logs\RunDllExe.dll, PE32+ 29->76 dropped 104 Antivirus detection for dropped file 29->104 106 Multi AV Scanner detection for dropped file 29->106 108 Machine Learning detection for dropped file 29->108 110 Found evasive API chain checking for user administrative privileges 29->110 42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        50 conhost.exe 36->50         started        54 10 other processes 36->54 52 conhost.exe 38->52         started        56 9 other processes 38->56 file10 signatures11 process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd/
Threat name:
Win32.Exploit.CVE-2021-1675
Create hunting rule
Status:
Malicious
First seen:
2024-06-22 09:54:20 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwd324r7qjt4hqf665pswubdehcrrldkbfuw6olrvtst2c5faxgq._file
Verdict:
malicious
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon family:gh0strat banker discovery evasion persistence privilege_escalation rat trojan upx
Link:
https://tria.ge/reports/240629-gsk8tsscqb/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unexpected DNS network traffic destination
Boot or Logon Autostart Execution: Port Monitors
Downloads MZ/PE file
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
Creates a large amount of network flows
Blackmoon, KrBanker
Detect Blackmoon payload
Gh0st RAT payload
Gh0strat
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ab794aff-0d49-4cb8-bf1e-0a214df1ae7c
Unpacked files
SH256 hash:
fae30c83ee2d6a1736a8b9004c7c1a0881dd9cbf9f65d956be29540c574e21a6
MD5 hash:
340ffcabb801789f2d4e49c6bc081fe1
SHA1 hash:
ec35d434bb5bdd3636a2ea8fc6c777b14ae4f7a0
Link:
https://www.unpac.me/results/6e1375d8-fe88-40f1-9d25-881515637247/
SH256 hash:
508cacc6d7661eb154dcd6f3e23aef48d7153245dc88482c55fe46b78536ed5f
MD5 hash:
d5dcdf45ca45a3bdc86f840700073a5f
SHA1 hash:
8f52a47b354a8d6971da717a415efb79670f5fe5
Link:
https://www.unpac.me/results/6e1375d8-fe88-40f1-9d25-881515637247/
SH256 hash:
224bf0bd119ef5c8aed25875cb66f62f9e2054dea8de5a3083cc43468a5da0da
MD5 hash:
214f53c5c0181d9e0531c48d46ed0881
SHA1 hash:
4d5629a5fbb29439b66caf98c5cec56730118ecd
Detections:
BlackmoonBanker
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/6e1375d8-fe88-40f1-9d25-881515637247/
SH256 hash:
8b30b7a99e82bbab6dea57b4a918cc24dbf6f9ecebc797f989d7725307fb82f5
MD5 hash:
977cf8372dbd09a9e5323f7f31543d6b
SHA1 hash:
0d7ad41138dbcf959e9dd5227904e1b03e973892
Detections:
win_juicy_potato_w0
Create hunting rule
Link:
https://www.unpac.me/results/6e1375d8-fe88-40f1-9d25-881515637247/
SH256 hash:
1327c0684c8341d3d17b035c63315df93d6315b97b9484f1075b9bf251485e15
MD5 hash:
dcf102b1c40cbb682838adca7f0dc0af
SHA1 hash:
4bbb24103e71a96599ea953ec032995ac4bc3885
Link:
https://www.unpac.me/results/6e1375d8-fe88-40f1-9d25-881515637247/
SH256 hash:
5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd
MD5 hash:
f9f5342074462fa1048fea806eef535f
SHA1 hash:
61c4e925d54b4e85564abb2a233b976306ee4e74
Link:
https://www.unpac.me/results/6e1375d8-fe88-40f1-9d25-881515637247/
Malware family:
Equation Group
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5d87bd723f82/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eternalblue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2912423/
  
URLhaus
https://urlhaus.abuse.ch/url/2914055/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments


Avatar
zbet commented on 2024-06-29 06:03:19 UTC

url : hxxp://ssl.ftp21.cc/TQ.jpg