MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e2420dde8d9ac32f13dac5ba27d333248009d5576f13ebcbdd95966be3cfd70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e2420dde8d9ac32f13dac5ba27d333248009d5576f13ebcbdd95966be3cfd70
SHA3-384 hash: 71b85589e9178eff7b916b37074ca7813fb59bd49f7923321eb1ab1a71f7eecd5b9a4808b5861e39eafa37980cc0ffcf
SHA1 hash: 52ba353c38ba0f9cac685bd6aa76778cfa73ff97
MD5 hash: acd25f5ddd11085d6bfbd1a3a693998a
humanhash: cola-uncle-maryland-glucose
File name:acd25f5ddd11085d6bfbd1a3a693998a.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:196'608 bytes
First seen:2022-11-05 05:10:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0533f8fc6d242682a6c09fa97fd55f21 (10 x Gh0stRAT)
ssdeep 3072:DD32tEC2souSimzRqE+ZoK2Cpa55WUorskESQn+3dQkmIwrHvVOol41uV7TtBbEB:i16qE4ZNrh0udQkm7HvVBKYRTCYQRm1k
Threatray 57 similar samples on MalwareBazaar
TLSH T1C5147DC5F2898CF2D97E87BF7CC54E2C10B149CE7A562AA79C066F0C00A92B93D251DD
TrID 33.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
14.0% (.SCR) Windows screen saver (13097/50/3)
11.2% (.EXE) Win64 Executable (generic) (10523/12/4)
7.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
183.236.2.18:8001

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
acd25f5ddd11085d6bfbd1a3a693998a.exe
Verdict:
Malicious activity
Analysis date:
2022-11-05 05:14:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3107aac-bedc-4b4e-94fe-aa4e29e23d8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/328948/
Detection(s):
Win.Trojan.Palevo-34143
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the Windows directory
Creating a file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/48808/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
ghost greyware lime obfuscated palevo shell32.dll swisyn
Link:
https://www.filescan.io/uploads/6365f068d998c15a09ab189a/reports/f7c710e2-cea3-404f-906a-14250f91eb3a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zegost
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2abdd324-73d5-4447-9d2f-36fb65c44c3b
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1106004
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Uses dynamic DNS services
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e2420dde8d9ac32f13dac5ba27d333248009d5576f13ebcbdd95966be3cfd70/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2011-08-04 08:12:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyscbxpi3gwdf4j5vrn2e7jtgjeabhkvo3yt5pf53fmwnpr47vya._file
Verdict:
malicious
Similar samples:
0e723b24c00d40e82c3040be920ea71fa0c8f868d009f66310250f7286eeb3c7
Gh0stRAT
1572e78bd040b8ba1a070b495df92ad34deb842e8edd732c1e4dc2c83f76357c
Gh0stRAT
96693934ea434357522fd15757ae0a757e2d93c080d900f152b66b428afb1526
Gh0stRAT
9f0b53652202ef427b78a25412c87d27261e7eedbb55a240466c5bcf770ddadc
Gh0stRAT
becc6f8e5b34bc2ccac9d11b1dd7b62278f79ac242649d656278e3947a24f5e0
Gh0stRAT
+ 47 additional samples on MalwareBazaar
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat persistence rat
Link:
https://tria.ge/reports/221105-ft93xafhfr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Adds Run key to start application
Gh0st RAT payload
Gh0strat
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d85df90b-eea9-4b78-bc24-6f4434a5e8f8
Unpacked files
SH256 hash:
1e6803bbea28b632be5f1f166f0e3804867963f9f456fedc1ea48188a0e20ef8
MD5 hash:
d1b6fc958ec6e8d99b5e00f5e11fbe93
SHA1 hash:
4864fba41c4022248e8a7a0db5410f15f457cd42
Link:
https://www.unpac.me/results/66000567-5c6d-46cb-a1e2-6c63c9d715ea/
SH256 hash:
5e2420dde8d9ac32f13dac5ba27d333248009d5576f13ebcbdd95966be3cfd70
MD5 hash:
acd25f5ddd11085d6bfbd1a3a693998a
SHA1 hash:
52ba353c38ba0f9cac685bd6aa76778cfa73ff97
Link:
https://www.unpac.me/results/66000567-5c6d-46cb-a1e2-6c63c9d715ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e2420dde8d9ac32f13dac5ba27d333248009d5576f13ebcbdd95966be3cfd70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/328948/

Comments