MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f391814f313f3c2acbedf0f7dd1333a3f0fdd3157eb46a206e00c4a4a3fbdca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f391814f313f3c2acbedf0f7dd1333a3f0fdd3157eb46a206e00c4a4a3fbdca
SHA3-384 hash: d7689e5b82223366b47b1029ead6fa3fa3ea2ecf9e7fed8777c5c8dfea4a46d926cbba605004a42092c3519e8236779f
SHA1 hash: ff6ed3240deec6b172ac410538a6a79c00d92d37
MD5 hash: d34d47927339dedd0199960650b229fd
humanhash: robin-island-mars-ohio
File name:D34D47927339DEDD0199960650B229FD.dll
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:230'400 bytes
First seen:2021-08-08 14:50:24 UTC
Last seen:2021-08-08 16:01:46 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9b821a35d20f9a8955f8d5e54b175675 (2 x Gh0stRAT)
ssdeep 6144:LoKI457oMLCUfZwOvVh6lz2IvMql5i1IWaS67ANLr5cc:L57owCUfaKh4z1N5iCWaS67Ax5cc
Threatray 15 similar samples on MalwareBazaar
TLSH T1F6342395F112466CEA9B8F3A12975903B3219271080DAAC5DF9ECD27E7F263F3435312
Reporter abuse_ch
Tags:dll Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
103.145.86.6:7777

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.145.86.6:7777 https://threatfox.abuse.ch/ioc/166039/

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Detection:
FatalRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177240/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Nethief
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e596ff7-a669-4d1d-83c4-364cde0b5d34
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828802
Signature
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f391814f313f3c2acbedf0f7dd1333a3f0fdd3157eb46a206e00c4a4a3fbdca/
Threat name:
Win32.Packed.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 19:21:00 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l44rqfhtcpz4flf634hx3ujthi7q7xjrk7vuniqg4ageusr7xxfa._file
Verdict:
malicious
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
Gh0stRAT
248c72c5eb7823243a820b9935e49534d8a94b91a6528afd8db98c9e8f56fbc0
Gh0stRAT
3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163
Gh0stRAT
3b5ce6a6dfa672d7d1f4c4b9fe0f6571cecea58401beeb704513a0d97763cb54
Gh0stRAT
3ce7a091f24c19dd1a0875c60f9e97ee017435614198c62ca97220658723b785
Gh0stRAT
43919cb86c587b0587b051f513b236247e4fd95cba88a8198e30c4603082cad8
Gh0stRAT
979405efabab43a36e009a0bd005b01d4a4faf9113d14e3fc78865eb461bbc61
Gh0stRAT
a66d1021e54269963e9a54892869d569ffa1c74d9fb1b67f023ea5fdfd90c1a6
Gh0stRAT
eb6478f051ae5b16921ed95f6a2f761512c79787ac2b54f0d00742ad526c34b8
Gh0stRAT
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/210808-spkh2kxq7x/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates connected drives
Blocklisted process makes network request
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39
Unpacked files
SH256 hash:
584d582a2fa9106c9368f86849537f44d92baaec17e1150f1f15ad3a20c075d7
MD5 hash:
1a301fdeeea78e0a93b4ff5da9edbf3a
SHA1 hash:
2d8d990e4801f5ccf16a05899587b5aafdea7061
Link:
https://www.unpac.me/results/76cd7cae-60a5-40a8-8673-1befd6491f58/
SH256 hash:
5f391814f313f3c2acbedf0f7dd1333a3f0fdd3157eb46a206e00c4a4a3fbdca
MD5 hash:
d34d47927339dedd0199960650b229fd
SHA1 hash:
ff6ed3240deec6b172ac410538a6a79c00d92d37
Link:
https://www.unpac.me/results/76cd7cae-60a5-40a8-8673-1befd6491f58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/5f391814f313f3c2acbedf0f7dd1333a3f0fdd3157eb46a206e00c4a4a3fbdca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GhostDragon_Gh0stRAT
Create hunting rule
Author:Florian Roth
Description:Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:https://blog.cylance.com/the-ghost-dragon
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177240/

Comments