MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dbda634d2ac2fa1c53a15b77ad8c0772d578e004fa98fea7668c6082f00b1a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dbda634d2ac2fa1c53a15b77ad8c0772d578e004fa98fea7668c6082f00b1a6
SHA3-384 hash: 124730a9e9e21e1b99fae4f269dfb2eee4d8b1942e208049935ed4817a0e15a3d26ba6e21409facc09854c13ce1c63a7
SHA1 hash: a886715ebbce5c047e3e23dc8d0aa513b2b194b8
MD5 hash: f029c534a1dc47d593f1aa413432cdf0
humanhash: mango-fix-lemon-uranus
File name:f029c534a1dc47d593f1aa413432cdf0
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:4'612'096 bytes
First seen:2023-10-17 10:21:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c3834fc7034d44bcc087a16f2eb9619 (1 x Gh0stRAT)
ssdeep 98304:FMKSSFYyri259a1iGrqHKBQLso2kFK7RNVYRiD:yKvS2LbMqHOQIo2k8ZU0
Threatray 82 similar samples on MalwareBazaar
TLSH T16E260213706A800FE6676DFB078F817055F46EED60DAD30D7282B71A06FA328159F7A8
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 9878eac15290a004 (3 x CobaltStrike, 1 x Gh0stRAT, 1 x ValleyRAT)
Reporter zbetcheckin
Tags:32 exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455262/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader22.9658.31637.21149.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for synchronization primitives
Moving a recently created file
Creating a file in the %temp% directory
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed packed shell32 themidawinlicense
Link:
https://www.filescan.io/uploads/652e604d5da218a42f5249e8/reports/40f7b745-e8b6-482b-afc1-4b0f6836755f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5dbda634d2ac2fa1c53a15b77ad8c0772d578e004fa98fea7668c6082f00b1a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f39a0b42-b9af-43f5-8cb0-1f32c336f398
Result
Threat name:
Gh0stCringe, GhostRat, Nitol, RunningRAT
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327160
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to modify clipboard data
Creates a Windows Service pointing to an executable in C:\Windows
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Drops PE files with benign system names
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses dynamic DNS services
Yara detected Gh0stCringe
Yara detected GhostRat
Yara detected Nitol
Yara detected RunningRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1327160 Sample: q7M2hE0WMb.exe Startdate: 17/10/2023 Architecture: WINDOWS Score: 100 92 kinh.xmcxmr.com 2->92 94 xred.mooo.com 2->94 96 9 other IPs or domains 2->96 116 Snort IDS alert for network traffic 2->116 118 Multi AV Scanner detection for domain / URL 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 17 other signatures 2->122 10 q7M2hE0WMb.exe 1 8 2->10         started        15 svchsot.exe 2->15         started        17 svchost.exe 1 2->17         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 102 82.157.254.217, 49713, 49718, 8000 ECLIPSEGB China 10->102 104 www.ip138.com.lxdns.com 157.185.145.100, 443, 49714, 49715 QUANTILNETWORKSUS United States 10->104 106 2023.ip138.com.wsglb0.com 157.185.156.194, 49717, 80 QUANTILNETWORKSUS United States 10->106 82 C:\Windows\server.exe, PE32 10->82 dropped 148 Query firmware table information (likely to detect VMs) 10->148 150 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->150 152 Drops executables to the windows directory (C:\Windows) and starts them 10->152 164 2 other signatures 10->164 21 server.exe 1 5 10->21         started        25 WerFault.exe 10->25         started        154 Antivirus detection for dropped file 15->154 156 Multi AV Scanner detection for dropped file 15->156 158 Machine Learning detection for dropped file 15->158 84 C:\Windows\SysWOW64\svchcst.exe, PE32 17->84 dropped 27 svchcst.exe 17->27         started        108 127.0.0.1 unknown unknown 19->108 160 Checks if browser processes are running 19->160 162 Contains functionality to detect sleep reduction / modifications 19->162 29 WerFault.exe 19->29         started        31 WerFault.exe 19->31         started        33 WerFault.exe 19->33         started        35 splwow64.exe 19->35         started        file6 signatures7 process8 file9 58 C:\Users\user\Desktop\._cache_server.exe, PE32 21->58 dropped 60 C:\ProgramData\Synaptics\Synaptics.exe, PE32 21->60 dropped 62 C:\ProgramData\Synaptics\RCX6384.tmp, PE32 21->62 dropped 64 (copy), PE32 21->64 dropped 124 Antivirus detection for dropped file 21->124 126 Multi AV Scanner detection for dropped file 21->126 128 Machine Learning detection for dropped file 21->128 37 ._cache_server.exe 6 21->37         started        41 Synaptics.exe 28 21->41         started        130 Opens the same file many times (likely Sandbox evasion) 27->130 signatures10 process11 dnsIp12 66 C:\Users\user\Desktop\HD_._cache_server.exe, PE32 37->66 dropped 68 C:\Users\user\AppData\Local\Temp\look2.exe, PE32 37->68 dropped 70 C:\Users\user\AppData\Local\...\RCX79BB.tmp, PE32 37->70 dropped 72 C:\Users\user\AppData\Local\Temp\HD_X.dat, PE32 37->72 dropped 132 Antivirus detection for dropped file 37->132 134 Multi AV Scanner detection for dropped file 37->134 136 Machine Learning detection for dropped file 37->136 138 Contains functionality to modify clipboard data 37->138 44 HD_._cache_server.exe 1 21 37->44         started        49 look2.exe 3 2 37->49         started        98 docs.google.com 142.251.40.46, 443, 49724, 49725 GOOGLEUS United States 41->98 100 freedns.afraid.org 69.42.215.252, 49730, 80 AWKNET-LLCUS United States 41->100 74 C:\Users\user\Documents\BJZFPPWAPT\~$cache1, PE32 41->74 dropped 76 C:\Users\user\AppData\Local\...\jxHgqXWh.exe, PE32 41->76 dropped 78 C:\Users\user\AppData\Local\...\RCX6A7A.tmp, PE32 41->78 dropped 80 C:\Users\user\AppData\Local\...\RCX66A1.tmp, PE32 41->80 dropped 140 Drops PE files to the document folder of the user 41->140 51 WerFault.exe 41->51         started        53 WerFault.exe 41->53         started        file13 signatures14 process15 dnsIp16 110 www.wk1888.com 50.2.68.136, 2011 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 44->110 112 www.fz0575.com 206.233.130.154, 2011 COGENT-174US United States 44->112 114 www.af0575.com 38.239.140.49, 2011 COGENT-174US United States 44->114 86 C:\Windows\XXXXXXEB285D75\svchsot.exe, PE32 44->86 dropped 88 C:\Windows\SysWOW64\130228\svchost.exe, PE32 44->88 dropped 166 Antivirus detection for dropped file 44->166 168 Multi AV Scanner detection for dropped file 44->168 170 Machine Learning detection for dropped file 44->170 174 8 other signatures 44->174 55 svchost.exe 44->55         started        90 C:\Windows\SysWOW64\7037906.bat, PE32 49->90 dropped 172 Creates a Windows Service pointing to an executable in C:\Windows 49->172 file17 signatures18 process19 signatures20 142 Antivirus detection for dropped file 55->142 144 Multi AV Scanner detection for dropped file 55->144 146 Machine Learning detection for dropped file 55->146
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5dbda634d2ac2fa1c53a15b77ad8c0772d578e004fa98fea7668c6082f00b1a6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5dbda634d2ac2fa1c53a15b77ad8c0772d578e004fa98fea7668c6082f00b1a6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-06 14:25:49 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lw62mngsvqx2drj2cw3xvwgao4wvpdqaj6uy72twnddaqlyawgta._file
Verdict:
malicious
Similar samples:
0025e7526b7d4806b3da2c0843994300c235863e603b299c86a2b32d6682bf18
Gh0stRAT
192cc32d2b512627692171a834ddc243f4d2eb6402b301c6ce4f495c08720f98
Gh0stRAT
1c0810c9351e73650066ce431603eb2b586f28ef39cedbe53103e2b3e727840b
Gh0stRAT
23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
Gh0stRAT
9360554f2e28415c1060e32aed40757998e0b16db0905f4ae5e1d21676b00ec5
Gh0stRAT
c7b06e2840e703c98fbe1fbfd9f33f5478e58840112d85c1e94c27a34474c95f
Gh0stRAT
dc89fb6fea674bafdb5f7945ece7ba57090647996caee4fd06e7f2a4c20fe4ea
Gh0stRAT
fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
Gh0stRAT
+ 72 additional samples on MalwareBazaar
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat bootkit evasion persistence rat trojan upx
Link:
https://tria.ge/reports/231017-md8cpsbb8s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Downloads MZ/PE file
Sets DLL path for service in the registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Gh0st RAT payload
Gh0strat
Unpacked files
SH256 hash:
86ffd39f8c53924a25935a4e1667487c2a63c7c8313e4d4f6bb13a9ac742db3b
MD5 hash:
021ec3cc05e073e136aa1d19e199b77c
SHA1 hash:
f386c2997fd05878ee3bb9638550deed6e2cf296
Link:
https://www.unpac.me/results/10761ff5-7ed0-42e4-8c3e-86abdc66b6ee/
SH256 hash:
8a0e3bce4fd6e5b2ee448d9671871cd24737792ce9e6405c6e5c92aa2a2ea0f2
MD5 hash:
edb3b38054ebd62f299c0cf39a504c3f
SHA1 hash:
638b25945be8f6b3b87962a5c6703480c956f909
Link:
https://www.unpac.me/results/10761ff5-7ed0-42e4-8c3e-86abdc66b6ee/
SH256 hash:
5dbda634d2ac2fa1c53a15b77ad8c0772d578e004fa98fea7668c6082f00b1a6
MD5 hash:
f029c534a1dc47d593f1aa413432cdf0
SHA1 hash:
a886715ebbce5c047e3e23dc8d0aa513b2b194b8
Link:
https://www.unpac.me/results/10761ff5-7ed0-42e4-8c3e-86abdc66b6ee/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5dbda634d2ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5dbda634d2ac2fa1c53a15b77ad8c0772d578e004fa98fea7668c6082f00b1a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 5dbda634d2ac2fa1c53a15b77ad8c0772d578e004fa98fea7668c6082f00b1a6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/455262/

Comments


Avatar
zbet commented on 2023-10-17 10:22:00 UTC

url : hxxp://82.157.254.217:8080/WeChat.exe