MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6
SHA3-384 hash: 0d9a76af5dad039958056053847d251c3ea06c97ae12c6c93e9e97ccfd9983cf91471d38a2e961b687675390841982d6
SHA1 hash: 97e80b0e34c842b8012980ecc6a36c81ad223091
MD5 hash: 5d4a8d13ab9bc2ccc9320152a7bcde39
humanhash: quebec-vermont-bravo-princess
File name:SecuriteInfo.com.Win32.MalwareX-gen.2794.22278
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:3'161'600 bytes
First seen:2025-06-05 13:25:08 UTC
Last seen:2025-06-05 14:26:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3ad6c094037460413d9c9cca158104b1 (10 x Gh0stRAT)
ssdeep 98304:1q2E0P9WeWgvsFJ8yVtbl39yeSUT0RNsGeY5:1qp0AN8eSUT0ReGei
TLSH T106E5C319BA580D26DB57D332C205F1A7ADE8D3A0852F83C2E988F7DC5425483EDA61FD
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:dll Gh0stRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
394
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
FatalRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7486/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.2794.22278.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68419c288bd5d68a12e58960
Tags:
shellcode farfli virus zusy
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context explorer fingerprint keylogger lolbin microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/68419ac358764b44c679b89f/reports/91c50ed4-ccf3-4ec8-b2e8-0c829a23e460/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6
Malware family:
Sysinternals
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/82c541bd-fdd6-451d-9c85-f02b321472de
Result
Threat name:
GhostRat, Mimikatz
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1707231
Signature
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Delayed program exit found
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Rundll32 Execution Without CommandLine Parameters
System process connects to network (likely due to code injection or exploit)
Yara detected GhostRat
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1707231 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 05/06/2025 Architecture: WINDOWS Score: 100 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Mimikatz 2->29 31 3 other signatures 2->31 7 loaddll32.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        19 conhost.exe 7->19         started        dnsIp5 23 38.46.13.90, 49722, 49723, 49724 COGENT-174US United States 11->23 33 System process connects to network (likely due to code injection or exploit) 11->33 35 Found evasive API chain (may stop execution after checking mutex) 11->35 37 Found stalling execution ending in API Sleep call 11->37 39 7 other signatures 11->39 21 rundll32.exe 1 15->21         started        signatures6 process7
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-05-19 11:01:24 UTC
File Type:
PE (Dll)
Extracted files:
37
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ndinpe3trc3qleejfpkf4n22hgdjq2v3uw726ydr35evxvmxrpda._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250605-qn4n2sxwhz/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Blocklisted process makes network request
Unpacked files
SH256 hash:
db02bd03b54cd2fd7d525612ba1841d1eefde56cbb8bb5f364b659ef14067213
MD5 hash:
6abe001711095d8dcfbcdd6a509ed8bd
SHA1 hash:
e56e2f9c58fee2c8fd3233f8464fb52c7641ad4d
Detections:
Mimikatz_Strings
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_Zegost
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
check_installed_software
Create hunting rule
Link:
https://www.unpac.me/results/1d22409d-5e8c-43c9-a96c-3196808194ed/
Parent samples :
0e022e4338e1650d82a719b009c4aa7bd5efa43e72518e0395777d0be37ec04b
d5b97d4be78dd6e6795c7e5376faeeaa58ac0b40629ea67291f223d42f19553a
5c86a4498bc05f88149ad40cc97ae4584a769840e8fb259a2bd2b3bf07d96919
0d5fd3da00f55402d3a66a8dd9f005b30d541cf2504073bc61c9ab260dccc4f0
0df117613af0902c70b911dfac2ee615177502036b2335490417aee11db9dfed
0271dce68b059c6996c2af61298a54b5dac89d9b4a76e4849e715ccaf7466dc9
d71bb15d343dd91690efb049eba30f28aecc17500bd2deb7204f48282e45576e
4cf92b27d387c9f3aaee9bc12de4eb22f2e8a6b6179affc4575a5d778cee173b
6d0d5b0d4b6a0c4a99f227d38bfe87bd10079034bbd41c90c34a8244aab55a84
481f80be12bf59f0f7a813410241e9101d68725e7e5e9dd0caede8709c5a75c9
a81700bf767bd7c4ee3ba71c954ad1bc37b89818a8953466bb7d858f8a4d26bd
b642e6abf52baf150f8f06464a4f43fe8c86b984a859a20ba096e2dc950e4bf6
aa9380ebe4adbb984507dacb82fc077026f2ebd0535af216a6569b04ce9d3efe
5e189d616ee4fe528bc165b7528b071619408d43bbfd9c82c045aeeb55276478
68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6
39de176c5876211820f2a565b740fdbb716cb0c9a27798732a9beeddef32b509
c9fc0c580e2cd2e376e7103422b581255da63295b94a96cd9121afa467a6583a
e341ad06bffac6637eceabcca1809cb2cb0378a4a02a0deb60c6be8536e97d81
6fddee12262f702de7ff59bf6a8178069576ae4ca57eae62d9d3c7cfb3814a53
8d2e9aa524bd78eb971e05a03741b92be58b52d9b7e4693896b2f3820d2fa683
0a6308c3c221fba00a3d53e944f515a00eb348187117828aa5ae59db36ee2a10
f980a395b1d3f5a2a4720e6cd57edaf5819105af9d9bb153e6a854dad0aa5659
9408a7c93e8115afe26a6a12e8bfce35d741cdc890ee2d08b7dba9eb6bacdde1
eb689bd8c8fe09a6e4e2e5b41cb3c4538c64bc5ef92938480646d10685db6e67
SH256 hash:
68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6
MD5 hash:
5d4a8d13ab9bc2ccc9320152a7bcde39
SHA1 hash:
97e80b0e34c842b8012980ecc6a36c81ad223091
Link:
https://www.unpac.me/results/1d22409d-5e8c-43c9-a96c-3196808194ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Create hunting rule
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

DLL dll 68d0d7937388b70590892bd45e375a3986986abba5bfaf6071df495bd5978bc6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/7486/
  
URLhaus
https://urlhaus.abuse.ch/url/3558524/
  
Delivery method
Distributed via web download

Comments