MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6
SHA3-384 hash: 16a796f69b951e4aac5ac6c2e8c5ce78a0cb37ed168a1085d69d0b4f06caf2202365e353bf051fc0f9d5ef011acebd94
SHA1 hash: 5e96ebe6628bff1c67254a524b593367780cd794
MD5 hash: aed17b7fdfbcbbb66f45783bf7753a81
humanhash: sweet-speaker-equal-king
File name:aed17b7fdfbcbbb66f45783bf7753a81.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'822'406 bytes
First seen:2021-11-21 09:44:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eeac73be37480fd144f387e3563a0f14 (13 x Gh0stRAT, 2 x N-W0rm, 1 x XRed)
ssdeep 24576:vQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVLOoWvWL0vbJ:vQZAdVyVT9n/Gg0P+WhoI2A0vbJ
Threatray 154 similar samples on MalwareBazaar
TLSH T12C85D166FA8140B1C129107004AB5B35DB759DB54E328F9BA75AFE0E7D72282A43723F
File icon (PE):PE icon
dhash icon 68d09c9e9ed8e070 (1 x Gh0stRAT)
Reporter abuse_ch
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aed17b7fdfbcbbb66f45783bf7753a81.exe
Verdict:
No threats detected
Analysis date:
2021-11-21 09:47:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f9ac9ffc-02f4-4b43-9871-3a3cf92cd721

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Malware.Farfli-9832713-0
Create hunting rule

Win.Trojan.Generic-9908305-0
Create hunting rule

Win.Trojan.Generic-6305873-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Launching a process
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the drivers directory
Loading a system driver
Running batch commands
Creating a process with a hidden window
DNS request
Moving a file to the %temp% directory
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Enabling autorun for a service
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware icedid keylogger overlay packed
Link:
https://www.filescan.io/uploads/619a152194a88037d2fc39c5/reports/5c2cd1db-d56e-4c53-a86f-422fbc2c139c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b242bd7c-e0e5-4469-a36c-b1a37dd32595
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
spre.bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893242
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Creates a Windows Service pointing to an executable in C:\Windows
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525715 Sample: 7w2gV0mADU.exe Startdate: 21/11/2021 Architecture: WINDOWS Score: 100 64 hackerinvasion.f3322.net 2->64 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for dropped file 2->74 76 Antivirus / Scanner detection for submitted sample 2->76 78 8 other signatures 2->78 9 7w2gV0mADU.exe 19 2->9         started        13 TXPlatforn.exe 2->13         started        15 svchost.exe 2->15         started        17 13 other processes 2->17 signatures3 process4 file5 54 C:\Users\user\Desktop\HD_7w2gV0mADU.exe, PE32 9->54 dropped 56 C:\Users\user\AppData\Local\...\svchost.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Local\Temp\svchos.exe, PE32 9->58 dropped 62 15 other malicious files 9->62 dropped 92 Drops PE files with benign system names 9->92 94 Drops executable to a common third party application directory 9->94 96 Infects executable files (exe, dll, sys, html) 9->96 19 svchost.exe 1 1 9->19         started        23 svchos.exe 3 2 9->23         started        25 HD_7w2gV0mADU.exe 9->25         started        98 Antivirus detection for dropped file 13->98 100 Machine Learning detection for dropped file 13->100 102 Drops executables to the windows directory (C:\Windows) and starts them 13->102 27 TXPlatforn.exe 16 1 13->27         started        104 Checks if browser processes are running 15->104 106 Contains functionality to detect sleep reduction / modifications 15->106 60 C:\Windows\SysWOW64\                .exe, PE32 17->60 dropped 108 Changes security center settings (notifications, updates, antivirus, firewall) 17->108 30                .exe 17->30         started        32 MpCmdRun.exe 17->32         started        34 WerFault.exe 17->34         started        signatures6 process7 dnsIp8 48 C:\Windows\SysWOW64\TXPlatforn.exe, PE32 19->48 dropped 80 Antivirus detection for dropped file 19->80 82 Machine Learning detection for dropped file 19->82 36 cmd.exe 1 19->36         started        50 C:\Windows\SysWOW64\3793593.txt, PE32 23->50 dropped 84 Creates a Windows Service pointing to an executable in C:\Windows 23->84 39 WerFault.exe 23 9 25->39         started        66 hackerinvasion.f3322.net 103.45.186.94, 49720, 49721, 49724 CHINANET-LIAONING-DALIAN-MANCHINANETLiaoningprovinceDali China 27->66 68 192.168.2.1 unknown unknown 27->68 52 C:\Windows\System32\drivers\QAssist.sys, PE32+ 27->52 dropped 86 Sample is not signed and drops a device driver 27->86 41 conhost.exe 32->41         started        file9 signatures10 process11 signatures12 88 Uses ping.exe to sleep 36->88 90 Uses ping.exe to check the status of other devices and networks 36->90 43 PING.EXE 1 36->43         started        46 conhost.exe 36->46         started        process13 dnsIp14 70 127.0.0.1 unknown unknown 43->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 19:39:23 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
Gh0stRAT
2e13c882d28c2236893a0a543e67c74a4f2e560d98c98b800f95c07938156a37
Gh0stRAT
38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84
Gh0stRAT
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
Gh0stRAT
8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905
Gh0stRAT
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
Gh0stRAT
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
Gh0stRAT
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Gh0stRAT
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
Gh0stRAT
f4158e798cb1c425cd5c50250f7016e9acd26bae7373e46585907682f120c546
Gh0stRAT
+ 144 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211121-lq3gjsgga6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Enumerates connected drives
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets DLL path for service in the registry
Sets service image path in registry
Unpacked files
SH256 hash:
fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60
MD5 hash:
8b1eda0bf1e445f16b910bc00b57d9b9
SHA1 hash:
5bbc680644c09a94d865c2440242a2eed1243d7f
Link:
https://www.unpac.me/results/2ac22048-a219-49f3-a3ba-c00b6be2a562/
Parent samples :
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
SH256 hash:
535f80c6f550ab5b3600b65ffffce1448fd34bb8fe7bcfac39eeb3fcd54013f8
MD5 hash:
53f8a595a534d83a8bb3d19b109f1ed9
SHA1 hash:
da39b00a08c8804fea4b5bbc16f73700a0ea9ff6
Link:
https://www.unpac.me/results/2ac22048-a219-49f3-a3ba-c00b6be2a562/
SH256 hash:
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
MD5 hash:
3b377ad877a942ec9f60ea285f7119a2
SHA1 hash:
60b23987b20d913982f723ab375eef50fafa6c70
Link:
https://www.unpac.me/results/2ac22048-a219-49f3-a3ba-c00b6be2a562/
SH256 hash:
795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6
MD5 hash:
aed17b7fdfbcbbb66f45783bf7753a81
SHA1 hash:
5e96ebe6628bff1c67254a524b593367780cd794
Link:
https://www.unpac.me/results/2ac22048-a219-49f3-a3ba-c00b6be2a562/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/795eaa68705b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207854/

Comments