MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f
SHA3-384 hash: fb4e2d2f41c596e4621fe982441126c7c425ee8075907b1f4fc0cdf2f90de51ecb71ca93f0f466355ea5b3ee1703f502
SHA1 hash: b9754522b39aaded4a9c8b44d4cca5fde1eb6e48
MD5 hash: adf0d4631057f7070280e175bdfac33c
humanhash: nineteen-network-island-item
File name:svchost.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:139'264 bytes
First seen:2021-02-04 00:37:33 UTC
Last seen:2021-04-18 08:50:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8f50a4fbe43851219d890796902c6fd (3 x Gh0stRAT, 2 x YoungLotus)
ssdeep 1536:TTrx8TkMw/Za0ptGiHjdbxv7fjTHMB5RJGNoQ0u0M+xY7H56uDd+by+ik5HX:TMwRa0ptB3EpCH0u0MDN9LcJX
TLSH D4D37C02F39CC162C04153BC8FA19AA95EF7FF718AE51D8B379C2BE90B34B945A2D145
Reporter r3dbU7z
Tags:backdoor exe Gh0stRAT Lotok

Intelligence

File Origin
# of uploads :
3
# of downloads :
463
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115459/
Detection(s):
Win.Dropper.Gh0stRAT-7577253-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DHCP request
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
DNS request
Modifying a system file
Sending a custom TCP request
Connection attempt
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/598615
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to infect the boot sector
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f/
Threat name:
Win32.Backdoor.Lotok
Create hunting rule
Status:
Malicious
First seen:
2021-01-29 07:27:00 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocwdhhcb5n5d7buhg34yv6rrcz2nuynocileaqxejvxgiezy74pq._file
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210204-88l8fpb6hn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
e3b198f30a7e90013b93d6259a8b53d67eeb9e27176c391ebc45d1ea4bf94753
MD5 hash:
98623ccfb5440a8757103192443470ca
SHA1 hash:
d5100f7118dbbeec2b02c2efafcc9dffbcccd963
Detections:
win_younglotus_g0
Create hunting rule
win_younglotus_auto
Create hunting rule
Link:
https://www.unpac.me/results/f5b0ee78-61cb-4b2c-ba5d-7af52d97bdc7/
Parent samples :
70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f
e8c9ef1dd0acb526355e36712841d4d843cfcac7ed2a50ec01ae12c2cf3438e9
26613cef7ccbaa737704157f03630a0a0100c1b3b2cfa1918aaaabd6bcf74ded
ebcb62b5cdb6724838ef8be9cff62ec470db60827e00d37d2ae3218c6c84a620
a5abe9b651a53a8d4e458d80a3f3d1a6cb12fd30c51c4f2c1ae385921175f977
SH256 hash:
70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f
MD5 hash:
adf0d4631057f7070280e175bdfac33c
SHA1 hash:
b9754522b39aaded4a9c8b44d4cca5fde1eb6e48
Link:
https://www.unpac.me/results/f5b0ee78-61cb-4b2c-ba5d-7af52d97bdc7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_younglotus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115459/

Comments