MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 649c9081b96d38aaea3052741d8549bb693a6a5327676376dd11d98ef51f697a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 649c9081b96d38aaea3052741d8549bb693a6a5327676376dd11d98ef51f697a
SHA3-384 hash: e080b4a20e9f056c531760f889a8197fe61dd40277a9839394327089b5a66ed8bcdb647afda405a7c80d5e5da7bcb9d2
SHA1 hash: f5e8b300cbd58238d12b755298edf3c565755dc8
MD5 hash: 038c21e92311ecb6e67e143128c3a350
humanhash: pip-music-enemy-illinois
File name:CA41I4OE.bat
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'619 bytes
First seen:2022-12-16 14:35:28 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 48:pOoklUR24UR6wq7oV7n+lfn+J2dYURIJagtuv:pbmHWkSwJaV
TLSH T18131FF71B462F386C9B009458C3F3B01770AF947BA840D0AE2F57CA0FDC2986AA593DD
Reporter iamdeadlyz
Tags:45-153-241-207 bat FakeGaliXCity Gh0stRAT SpaceCity


Avatar
Iamdeadlyz
From spacecity.games (impersonation of galixcity.io)
Gh0stRAT C&C: 45.153.241.207:1016

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SpaceCityV2.exe
Verdict:
No threats detected
Analysis date:
2022-12-16 14:36:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69994436-a225-4675-b719-2e4b0030fdc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347026/
Detection(s):
SecuriteInfo.com.Heur.BZC.ONG.Boxter.928.EBCEEA45.17668.6839.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug evasive explorer.exe greyware keylogger packed shell32.dll
Link:
https://www.filescan.io/uploads/639c8253ef9641a43886e419/reports/00f0b518-e2c0-4717-a371-645bf5ece964/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1135773
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/649c9081b96d38aaea3052741d8549bb693a6a5327676376dd11d98ef51f697a/
Threat name:
Text.Malware.Boxter
Create hunting rule
Status:
Malicious
First seen:
2022-12-16 14:36:06 UTC
File Type:
Text (Batch)
AV detection:
3 of 40 (7.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=msojbanznu4kv2rqkj2b3bkjxnutu2ste5twg5w5chmy55i7nf5a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221216-rykvcseh48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/649c9081b96d38aaea3052741d8549bb693a6a5327676376dd11d98ef51f697a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_PowerShell_Caret_Obfuscation_2
Create hunting rule
Author:Florian Roth
Description:Detects powershell keyword obfuscated with carets
Reference:Internal Research
Rule name:SUSP_PowerShell_Caret_Obfuscation_2_RID347B
Create hunting rule
Author:Florian Roth
Description:Detects powershell keyword obfuscated with carets
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

888911f248e764f4a7ece25cab594a925bf13eb797fd1578b824d592a7719814

Gh0stRAT

Batch (bat) bat 649c9081b96d38aaea3052741d8549bb693a6a5327676376dd11d98ef51f697a

(this sample)

Gh0stRAT

Executable exe 78be65f626e4a9e81c655b36c96dacc8898287d4954cbffd98788e602369f8ca

  
Dropped by
SHA256 888911f248e764f4a7ece25cab594a925bf13eb797fd1578b824d592a7719814
  
Dropped by
SHA256 ae0c2b4ed2f3beac01a8997f8ac0cfa78d01e9b55e5cc70b490441e756fee039
  
Dropping
SHA256 78be65f626e4a9e81c655b36c96dacc8898287d4954cbffd98788e602369f8ca
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2466676/
Cape
Cape
https://www.capesandbox.com/analysis/347026/
  
Dropped by
MD5 c2d157d99942dc12dfe9dcaad5304866

Comments