MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5df46a85b08eb145dd1d6341934ac9a46479b6a8685b21c89d01de18aeb0f72b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5df46a85b08eb145dd1d6341934ac9a46479b6a8685b21c89d01de18aeb0f72b
SHA3-384 hash: a71eaee91db014a7154f78f8d4969cc3fe13bc6d5a2e86059a70deaa978df437e8877cec29fa37375402ed4cbbd98eec
SHA1 hash: b5bcac5e714bf6fdfd0f46e23bb3a634344f5c24
MD5 hash: 879a286654fd9e2702d94978e0a3b937
humanhash: mirror-green-tango-neptune
File name:5df46a85b08eb145dd1d6341934ac9a46479b6a8685b21c89d01de18aeb0f72b
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:591'549 bytes
First seen:2022-06-06 12:54:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f93c9dd2c0a3aa46cd302497351cbda (1 x Gh0stRAT, 1 x MimiKatz)
ssdeep 12288:tCu0EuGfFovspdnRZhy3fYgrGb0rl8GbV5sxIJW24fBDncNBw6ZOSEcQCc:k0ovspdRDEfYgUkiGWrBANWbeQ5
Threatray 87 similar samples on MalwareBazaar
TLSH T108C42380F7641C77E80B4B387307A0C36DB9E1416B4DEC2B9145508B6E7AB823E9FD19
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4505/5/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.4% (.EXE) Clipper DOS Executable (2018/12)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e8d4929c2cac98a8 (3 x MimiKatz, 1 x Gh0stRAT)
Reporter JAMESWT_WT
Tags:exe Gh0stRAT kk123456.top related

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5df46a85b08eb145dd1d6341934ac9a46479b6a8685b21c89d01de18aeb0f72b
Verdict:
Malicious activity
Analysis date:
2022-06-06 13:11:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/43348d87-0750-4cea-9fa2-63a4badf93c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat / Gh0st
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277035/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Keylogger.Gh0stRAT-9937448-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Program Files subdirectories
Enabling the 'hidden' option for recently created files
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
Creating a file in the drivers directory
Loading a system driver
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/629df945824d74ef94f745aa/reports/832231ee-268e-463d-9601-7419c2f74ded/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Lotok
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07154c67-a6de-459e-82a4-9e23c4c8ede3
Result
Threat name:
GhostRat, Mimikatz
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007374
Signature
Antivirus detection for dropped file
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected GhostRat
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 639871 Sample: hvpImDGhWp Startdate: 06/06/2022 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 10 other signatures 2->53 7 hvpImDGhWp.exe 1 3 2->7         started        10 Aqiyq.exe 2->10         started        12 svchost.exe 1 2->12         started        15 4 other processes 2->15 process3 dnsIp4 31 C:\Program Files (x86)31etMeeting\Aqiyq.exe, PE32 7->31 dropped 33 C:\...\Aqiyq.exe:Zone.Identifier, ASCII 7->33 dropped 17 cmd.exe 1 7->17         started        20 Aqiyq.exe 13 1 10->20         started        39 192.168.2.1 unknown unknown 12->39 file5 process6 dnsIp7 41 Uses ping.exe to sleep 17->41 43 Uses ping.exe to check the status of other devices and networks 17->43 24 PING.EXE 1 17->24         started        27 conhost.exe 17->27         started        35 154.80.229.124, 36002 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 20->35 29 C:\Windows\System32\drivers\QAssist.sys, PE32+ 20->29 dropped 45 Sample is not signed and drops a device driver 20->45 file8 signatures9 process10 dnsIp11 37 127.0.0.1 unknown unknown 24->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5df46a85b08eb145dd1d6341934ac9a46479b6a8685b21c89d01de18aeb0f72b/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 17:26:00 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lx2gvbnqr2yulxi5mnazgswjurshtnvinbnsdse5ahpbrlvq64vq._file
Verdict:
malicious
Similar samples:
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
Gh0stRAT
38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84
Gh0stRAT
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
Gh0stRAT
5409122ed4854435632036bd0ff599fe1b3c623ab7dbf53926bd9a70f1b67888
Gh0stRAT
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
Gh0stRAT
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
Gh0stRAT
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Gh0stRAT
c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d
Gh0stRAT
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
Gh0stRAT
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
Gh0stRAT
+ 77 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox persistence rat rootkit trojan upx
Link:
https://tria.ge/reports/220606-p5sgnscfbq/
Behaviour
Runs ping.exe
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Deletes itself
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
UPX packed file
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
e729e0d5037e20f78e1b9665ca29e6355c6f80ae1c6078135c8b5eac4549c4f7
MD5 hash:
78d82a5020250476fa22b2bf47ec2834
SHA1 hash:
4291ce7e33e5c75f10c19308dd79772da45f2b45
Link:
https://www.unpac.me/results/33421179-e049-46c8-b445-babca3dd11f3/
Parent samples :
5058d869c59bfb3480d1dc6f8f51d191adb890039c89ff9fd668fe7b481099b8
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
SH256 hash:
7493ccd858da7faf9821cde4154a360d296fe46845665f327fc660c443f59919
MD5 hash:
2b75c79cad0863f4d4f2b7d89905821e
SHA1 hash:
a5a01b2048b3d64bd409dc2ba66203fcf5ef7bb1
Link:
https://www.unpac.me/results/33421179-e049-46c8-b445-babca3dd11f3/
SH256 hash:
5df46a85b08eb145dd1d6341934ac9a46479b6a8685b21c89d01de18aeb0f72b
MD5 hash:
879a286654fd9e2702d94978e0a3b937
SHA1 hash:
b5bcac5e714bf6fdfd0f46e23bb3a634344f5c24
Link:
https://www.unpac.me/results/33421179-e049-46c8-b445-babca3dd11f3/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5df46a85b08e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/5df46a85b08eb145dd1d6341934ac9a46479b6a8685b21c89d01de18aeb0f72b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277035/

Comments