MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ae15c1bfdf60a0b05efe8f2b0e0c70c1f7d8aaef456fc82efd1092bc687c7d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 11

Intelligence 11 IOCs 2 YARA 1 File information Comments

SHA256 hash:	7ae15c1bfdf60a0b05efe8f2b0e0c70c1f7d8aaef456fc82efd1092bc687c7d7
SHA3-384 hash:	43a5d17e51c93c17811e2ea3a9019c27165323f856effdf47da25477dfc59b5cfda369b7cca921a81e95db091ee42f2e
SHA1 hash:	f7a0ed621d7d93b4a3d57c5d9c57bc1287531e90
MD5 hash:	d4ffa8c3584762b282e3f1ad7ba79bad
humanhash:	summer-johnny-nevada-fourteen
File name:	7AE15C1BFDF60A0B05EFE8F2B0E0C70C1F7D8AAEF456F.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	148'480 bytes
First seen:	2022-03-22 13:08:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	daf30ebcb1ad4f0fbbaf88d0b9e7e01b (7 x Gh0stRAT)
ssdeep	3072:r+7a/40Udj30DCwHUXILXu6fJuhUYQCcr8LUs3Gs/81GpJ43asARaxuP:a7a/0dj30DzbbNR0UYUIwsWU8K4dCP
TLSH	T11EE3128084F0EADAD464007FF47561E98674D1EF82D4AAD8FA50126FFF68ECC4678627
Reporter	abuse_ch
Tags:	exe Gh0stRAT

abuse_ch

Gh0stRAT C2:
3.142.81.166:16180

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
3.142.81.166:16180	https://threatfox.abuse.ch/ioc/438856/
13.58.157.220:16180	https://threatfox.abuse.ch/ioc/438857/

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Detection:

PcClient

Link:

https://www.capesandbox.com/analysis/254162/

Detection(s):

Win.Trojan.Farfli-9753454-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows directory

Сreating synchronization primitives

Creating a service

Creating a file

Creating a file in the Program Files subdirectories

Launching a service

Enabling autorun for a service

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm packed shell32.dll

Link:

https://www.filescan.io/uploads/6239ca490cd58dbd92d6b112/reports/96e5915e-aaa2-414a-9036-3acccf91b586/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Barys

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e87f5cc1-dc58-49eb-963b-4915dbed4fdb

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/961851

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to detect sleep reduction / modifications

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Application Executed Non-Executable Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7ae15c1bfdf60a0b05efe8f2b0e0c70c1f7d8aaef456fc82efd1092bc687c7d7/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2021-05-12 06:48:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

38 of 42 (90.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=plqvyg756yfawbpp5dzlbyghbqpx3cvo6rlpzaxp2eesxruhy7lq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220322-qdstssfdb2/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Deletes itself

Loads dropped DLL

Blocklisted process makes network request

Unpacked files

SH256 hash:

c897d2ce05c287c1555f0fbdabd63cc2adf2ab4edf62128c92d4ead4122ee81d

MD5 hash:

6eb5b3877b8f4f44091d5368b5a64a9f

SHA1 hash:

d67697bfa75188f0ff5d2fefcc61853db1f166a3

Link:

https://www.unpac.me/results/e233deab-44cc-4236-b64e-2dbd85524b1f/

SH256 hash:

706cb6128b3d254f705cd65e5367b9b8cfa3445cb45e4a34a48b82243ae75aa3

MD5 hash:

9fcfe78afba95c1f3ad8e3f99c5c4636

SHA1 hash:

89dd87064a67a2efb86fdf1e91ed5edebd40f052

Link:

https://www.unpac.me/results/e233deab-44cc-4236-b64e-2dbd85524b1f/

SH256 hash:

d780908f8c201fbbfded2128798f966dd7cdd57fcebd62a1c7ddffbeadf7e463

MD5 hash:

967d24bfffe7e20ea0256d56faa7c6d4

SHA1 hash:

e93af4c27529c96e5008d12225004ccde57fe94b

Link:

https://www.unpac.me/results/e233deab-44cc-4236-b64e-2dbd85524b1f/

SH256 hash:

7ae15c1bfdf60a0b05efe8f2b0e0c70c1f7d8aaef456fc82efd1092bc687c7d7

MD5 hash:

d4ffa8c3584762b282e3f1ad7ba79bad

SHA1 hash:

f7a0ed621d7d93b4a3d57c5d9c57bc1287531e90

Link:

https://www.unpac.me/results/e233deab-44cc-4236-b64e-2dbd85524b1f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

PcClient

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ae15c1bfdf60a0b05efe8f2b0e0c70c1f7d8aaef456fc82efd1092bc687c7d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/254162/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample