MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e517ca276ec74474e8e32475e762aebc320fbe5e68f3bbdbc925c20ec3bf128. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	7e517ca276ec74474e8e32475e762aebc320fbe5e68f3bbdbc925c20ec3bf128
SHA3-384 hash:	675c9e04e6cd4a634d466e4f5e2bd36aa0c9edfef494696e0cc29b38add56948222c3207ea7b33a200757db88736dc39
SHA1 hash:	8a178e15f065acf6ecb3dd34484d58918c576835
MD5 hash:	0099ac0f5732d6ef0ba8ad4537902017
humanhash:	hamper-helium-batman-helium
File name:	7E517CA276EC74474E8E32475E762AEBC320FBE5E68F3.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	184'320 bytes
First seen:	2022-04-09 18:25:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1d1a38da13d04677f392f9ca4e289b52 (3 x Gh0stRAT)
ssdeep	3072:+cWYIO5tt7avdm4mnNjlc7ue/liZ+kakzTwYdrPKWE/XU:JWYFmqNjmHlmZak3wYtyBU
Threatray	18 similar samples on MalwareBazaar
TLSH	T198047D02FAC544F9F995153C14BB6B369B3FBD648A495A83EB24FE950C73180BA22347
File icon (PE):
dhash icon	e0e4a2aaa4b8a888 (10 x DarkWatchman, 5 x SnakeKeylogger, 5 x Formbook)
Reporter	abuse_ch
Tags:	exe Gh0stRAT

abuse_ch

Gh0stRAT C2:
183.236.2.18:8888

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
183.236.2.18:8888	https://threatfox.abuse.ch/ioc/382111/

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7E517CA276EC74474E8E32475E762AEBC320FBE5E68F3.exe

Verdict:

No threats detected

Analysis date:

2022-04-09 18:27:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/aac3e931-f440-4337-9aa0-f966b33fdb5b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PcClient

Link:

https://www.capesandbox.com/analysis/262342/

Detection(s):

Win.Trojan.Farfli-3966

Win.Trojan.Magania-16616

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows directory

Creating a file

Launching a service

Creating a file in the Windows subdirectories

Loading a system driver

Сreating synchronization primitives

Creating a service

DNS request

Enabling autorun for a service

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13290/overview

Behaviour

MalwareBazaar

SystemUptime

CallSleep

EnumerateProcesses

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive gh0st graftor greyware keylogger packed rundll32.exe shell32.dll upatre

Link:

https://www.filescan.io/uploads/6251cfbad149c40acb146e8f/reports/8cce2089-cde0-46d7-bbc0-3a31edbcbc3a/overview

Malware family:

Barys

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca7180e6-6d28-4df0-bb40-9aa44e7c438f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/973815

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to detect sleep reduction / modifications

Deletes itself after installation

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e517ca276ec74474e8e32475e762aebc320fbe5e68f3bbdbc925c20ec3bf128/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2011-08-03 22:13:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

39 of 42 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pzixzitw5r2eotuogjdv45rk5pbsb67f42htxpn4sjocb3b36eua._file

Verdict:

malicious

Gh0stRAT

16fbf893577545517baae80528f89f3b4ff2985ea7bbb39a25586ad44a5e148b

Gh0stRAT

7ae15c1bfdf60a0b05efe8f2b0e0c70c1f7d8aaef456fc82efd1092bc687c7d7

Gh0stRAT

a3b7929d37805fa49dda5200049f664f38c6832fcc8d9d58f4afb7d7906a2d23

Gh0stRAT

a7a9d11f1cfcd60a6548d3f5033f0d621a0c383e4d02af3e2782af0eab8085e7

Gh0stRAT

c072cb1cd389ffe94439d44a984e9d03b1217d4a5d41d6a279e541d64ad74b9c

Gh0stRAT

+ 8 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220409-w252xsbcd3/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Deletes itself

Loads dropped DLL

Unpacked files

SH256 hash:

35cc9b0c34bd355fad333842013ff7a95ee4db94d530968e97035f2eb0c6c643

MD5 hash:

5d33f6a1cd8b3b5e5aa76ef3a90ee985

SHA1 hash:

b453f859263e7ef5d47864e4a6edf9d46d8c7fef

Link:

https://www.unpac.me/results/9440d332-1052-4b92-9b77-a13d99669942/

SH256 hash:

7e517ca276ec74474e8e32475e762aebc320fbe5e68f3bbdbc925c20ec3bf128

MD5 hash:

0099ac0f5732d6ef0ba8ad4537902017

SHA1 hash:

8a178e15f065acf6ecb3dd34484d58918c576835

Link:

https://www.unpac.me/results/9440d332-1052-4b92-9b77-a13d99669942/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7e517ca276ec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

PcClient

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7e517ca276ec74474e8e32475e762aebc320fbe5e68f3bbdbc925c20ec3bf128

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/262342/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample