MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 727a3d9b0884726b8aa69b6368ec32032c36645c6d82a33ae569d2c94f94f4dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 727a3d9b0884726b8aa69b6368ec32032c36645c6d82a33ae569d2c94f94f4dd
SHA3-384 hash: 3d1e9a5648c2e25d26b04fb23979c6b566ce027ac5493b0740794b774f9adfd84b86269923abfd958a23586218a541bd
SHA1 hash: ab061a297b232168508abfe04aa3c7da80fc5018
MD5 hash: 4ef0f866e2a92cb31ac0764700c82ec8
humanhash: eight-idaho-glucose-ink
File name:727a3d9b0884726b8aa69b6368ec32032c36645c6d82a33ae569d2c94f94f4dd
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'712'358 bytes
First seen:2022-08-03 10:19:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eeac73be37480fd144f387e3563a0f14 (13 x Gh0stRAT, 2 x N-W0rm, 1 x XRed)
ssdeep 24576:c89tv9/7JtDElDEExIecl1erdg0MCiVWhR/isd6VRxWXiMd:c89XJt4HIZ/Gg0P+WhIsdtpd
Threatray 286 similar samples on MalwareBazaar
TLSH T12B85E153F99280F2C748543114AF6736EEB55F854B128B87679CFE1C2C72181BA7B23A
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter JAMESWT_WT
Tags:exe Gh0stRAT Hangzhou Saifan Technology Co. Ltd.

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
727a3d9b0884726b8aa69b6368ec32032c36645c6d82a33ae569d2c94f94f4dd
Verdict:
No threats detected
Analysis date:
2022-08-03 10:21:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8266094-24ad-4e84-8aca-1d6075f23bfe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat / Gh0st
Create hunting rule
Link:
https://www.capesandbox.com/analysis/296148/
Detection(s):
Win.Trojan.Generic-9908305-0
Create hunting rule

Win.Dropper.Midie-9942397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Moving a file to the %temp% directory
Modifying an executable file
Creating a file in the drivers directory
Loading a system driver
Running batch commands
Creating a process with a hidden window
DNS request
Launching a process
Enabling autorun for a service
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/62ea4c130d534e60816df0d8/reports/1e6e47fc-b00b-41c4-ab73-00e3276e72bd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fcd63e4b-759d-4861-aa31-b97cfd38dd6b
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045520
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 678014 Sample: cPKdu3P3L0 Startdate: 03/08/2022 Architecture: WINDOWS Score: 100 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 4 other signatures 2->73 8 cPKdu3P3L0.exe 16 2->8         started        12 TXPlatforn.exe 2->12         started        14 svchost.exe 2->14         started        16 12 other processes 2->16 process3 file4 55 C:\Users\user\Desktop\HD_cPKdu3P3L0.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\Local\...\RCXF7A8.tmp, PE32 8->57 dropped 59 C:\Users\user\AppData\Local\...\RCXF4E8.tmp, PE32 8->59 dropped 61 12 other malicious files 8->61 dropped 81 Drops executable to a common third party application directory 8->81 83 Infects executable files (exe, dll, sys, html) 8->83 18 QQ.exe 1 1 8->18         started        22 HD_cPKdu3P3L0.exe 5 8->22         started        85 Antivirus detection for dropped file 12->85 87 Machine Learning detection for dropped file 12->87 89 Drops executables to the windows directory (C:\Windows) and starts them 12->89 24 TXPlatforn.exe 13 1 12->24         started        91 Changes security center settings (notifications, updates, antivirus, firewall) 14->91 27 MpCmdRun.exe 1 14->27         started        signatures5 process6 dnsIp7 49 C:\Windows\SysWOW64\TXPlatforn.exe, PE32 18->49 dropped 75 Antivirus detection for dropped file 18->75 77 Machine Learning detection for dropped file 18->77 29 cmd.exe 1 18->29         started        51 C:\Users\user\AppData\Local\Temp\...\Un_A.exe, PE32 22->51 dropped 32 Un_A.exe 18 22->32         started        63 hackerinvasion.f3322.net 127.0.0.1 unknown unknown 24->63 65 192.168.2.1 unknown unknown 24->65 53 C:\Windows\System32\drivers\QAssist.sys, PE32+ 24->53 dropped 79 Sample is not signed and drops a device driver 24->79 35 conhost.exe 27->35         started        file8 signatures9 process10 file11 93 Uses ping.exe to sleep 29->93 95 Uses ping.exe to check the status of other devices and networks 29->95 37 conhost.exe 29->37         started        39 PING.EXE 1 29->39         started        41 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 32->41 dropped 43 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 32->43 dropped 45 C:\Users\user\AppData\Local\...\System.dll, PE32 32->45 dropped 47 C:\Users\user\AppData\Local\...\StdUtils.dll, PE32 32->47 dropped signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/727a3d9b0884726b8aa69b6368ec32032c36645c6d82a33ae569d2c94f94f4dd/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 20:52:00 UTC
File Type:
PE (Exe)
Extracted files:
120
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oj5d3gyiqrzgxcvgtnrwr3bsamwdmzc4nwbkgoxfnhjmst4u6toq._file
Verdict:
malicious
Similar samples:
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Gh0stRAT
52d7f88f2af1afe7ca436c7553bc9f46d0b61d43a49458b1de79e66640a8b957
Gh0stRAT
795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6
Gh0stRAT
86c8f78d6c977f1d9a280a960a10c9c485419afbb8c70f7a90a82f0eadee9445
Gh0stRAT
a18e86dbfe2bee1ca87206bc3becd03bff4cd82be7747cb73ea3ed04191aef49
Gh0stRAT
f67a41e2609e49ffcd1922c9a892c44c3e9af7c68539c1c3ee6b6fdbedc3d437
Gh0stRAT
+ 276 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox persistence rat rootkit trojan upx
Link:
https://tria.ge/reports/220803-mc4ccsaab6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
UPX packed file
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60
MD5 hash:
8b1eda0bf1e445f16b910bc00b57d9b9
SHA1 hash:
5bbc680644c09a94d865c2440242a2eed1243d7f
Link:
https://www.unpac.me/results/f1eb844d-2305-4798-8416-f5d3eb75fd6b/
Parent samples :
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
SH256 hash:
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
MD5 hash:
0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 hash:
48df0911f0484cbe2a8cdd5362140b63c41ee457
Link:
https://www.unpac.me/results/f1eb844d-2305-4798-8416-f5d3eb75fd6b/
SH256 hash:
11f5820690428167ee0a38e1ff3b9d0a48842459817d4417788a8e3feaabe37c
MD5 hash:
4b1be5a2c2e47fe28fce4cce0db40147
SHA1 hash:
720961c7e8026fd52ad1512e943f7994add7323f
Link:
https://www.unpac.me/results/f1eb844d-2305-4798-8416-f5d3eb75fd6b/
SH256 hash:
727a3d9b0884726b8aa69b6368ec32032c36645c6d82a33ae569d2c94f94f4dd
MD5 hash:
4ef0f866e2a92cb31ac0764700c82ec8
SHA1 hash:
ab061a297b232168508abfe04aa3c7da80fc5018
Link:
https://www.unpac.me/results/f1eb844d-2305-4798-8416-f5d3eb75fd6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/727a3d9b0884726b8aa69b6368ec32032c36645c6d82a33ae569d2c94f94f4dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296148/

Comments