MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cb014a9f7b5e2407867c0cabe5bc80770366b3bd1ecd511d1fdf3df4d27325e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cb014a9f7b5e2407867c0cabe5bc80770366b3bd1ecd511d1fdf3df4d27325e
SHA3-384 hash: 338c3c726b05efecee76083965e30df070f7c2be95151dc0c31548b57c0374115aa8d37d1cdc2a1ed9c099068fd72f71
SHA1 hash: 961001353d4e58278c37e40e36b76c6e5ffbdcf6
MD5 hash: 924d1620abf7263f8462905d2111e384
humanhash: monkey-enemy-violet-apart
File name:Farfli.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:4'915'200 bytes
First seen:2022-06-13 15:59:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 36 x Vidar)
ssdeep 49152:RtpvqzABOEmXJpPg0u4bFayjB3sDs+zNjGtUYsfDORUkbUDwjtqSjAil0VF1/5PU:Rtpv7BcXJpPv+zJGtUfVxPJfh8
Threatray 61 similar samples on MalwareBazaar
TLSH T14E366A50F9DB80F1E603193004A7A2BF27306E095F24DBD7EA547FAAE8776E10E32559
gimphash 28f9ef451e592b1f8f79ca0862a6326d9c99d8baedba191cc101ed1e0ff0da66
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter obfusor
Tags:exe Farfli Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Farfli.exe
Verdict:
Suspicious activity
Analysis date:
2022-06-13 20:40:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5ef2d8ae-711a-4c45-8223-18ecb91952e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279468/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending an HTTP GET request
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
golang packed
Link:
https://www.filescan.io/uploads/62a75f0e040517c347959dd4/reports/dde8d10f-ee82-4339-8cd2-8beba9dc1262/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a20fb41e-85a2-4917-9bed-6db6eeff3cd3
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1012192
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cb014a9f7b5e2407867c0cabe5bc80770366b3bd1ecd511d1fdf3df4d27325e/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 09:25:59 UTC
File Type:
PE (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psybjkpxwxrea6dhydfl4w6ia5ydm2z32hwnkeor7xz56tjhgjpa._file
Verdict:
malicious
Similar samples:
05ed49a35de43f759d904548d99ef46fbe595132a8fc1d8469f9c305c69e8fa1
Gh0stRAT
42525e109fc534ac972d74fcb8c628528ddecc7c124ff1c0a5059139444f4165
Gh0stRAT
4486d008b7f67db604b8ed1bb3a5fae6004a9f6b75777c85fdeb5ecde7e63e73
Gh0stRAT
69d7973f1002d543c7e1935b95a4493ec29d0c21d3dc5e50d2f477868a914f70
Gh0stRAT
f5278fbbe7e48b04111f42f0d247f51d7c1f8ecfd30821c64fed9b6c8c30159d
Gh0stRAT
+ 51 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/220613-tfmx4sddg8/
Behaviour
Checks processor information in registry
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Enumerates connected drives
Unpacked files
SH256 hash:
7cb014a9f7b5e2407867c0cabe5bc80770366b3bd1ecd511d1fdf3df4d27325e
MD5 hash:
924d1620abf7263f8462905d2111e384
SHA1 hash:
961001353d4e58278c37e40e36b76c6e5ffbdcf6
Link:
https://www.unpac.me/results/1233e023-4b6d-45b6-8021-f6115c7ed1f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/7cb014a9f7b5e2407867c0cabe5bc80770366b3bd1ecd511d1fdf3df4d27325e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/279468/

Comments