MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 827349ef926486d692dec5158ac66fcc27ec6f628f759f1cb23814f50f93ab88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 827349ef926486d692dec5158ac66fcc27ec6f628f759f1cb23814f50f93ab88
SHA3-384 hash: b8b85f8db83a50be71950dbde2f3b53f652622d9cd133dc7fd9a3193fde315627166d8793fb4270d74d0a4e787a17462
SHA1 hash: f26f2d8f14aee6b2f383de9a6554274d9246cd7e
MD5 hash: 9be6a8af4623f84a939cfc2fe9ba98b8
humanhash: washington-kitten-salami-steak
File name:点击此处安装中文语言包.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:4'039'489 bytes
First seen:2022-05-22 06:10:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 98304:w06FOznLo0+Dd6uxcrdMyIOCyqwHamWVWxT+f2hPQBjmVu2tx:w3F6n80W6uGrKOtbLWVwuKBx
Threatray 24 similar samples on MalwareBazaar
TLSH T17B162343F381D1B5C8B680B9805589B38B652E3197BBD4E7ABC0766ECF601D09B36F49
TrID 68.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
10.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.2% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 9ee8e8f0e8e0e98e (1 x Gh0stRAT, 1 x MimiKatz)
Reporter obfusor
Tags:dropper exe Gh0stRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
697
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
点击此处安装中文语言包.exe
Verdict:
No threats detected
Analysis date:
2022-05-22 06:12:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee3fdbd1-300c-479f-b1fb-f1f3c2ee5b4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273389/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19501/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware obfuscated overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6289d413206e08161837856d/reports/ecccb6e4-2acd-4c8d-9f9d-a79ad59fb602/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d343a14f-de04-4d60-9f29-062155207a00
Result
Threat name:
GhostRat, Mimikatz, Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999266
Signature
Antivirus detection for dropped file
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Modifies the windows firewall
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631762 Sample: #U70b9#U51fb#U6b64#U5904#U5... Startdate: 22/05/2022 Architecture: WINDOWS Score: 100 93 Antivirus detection for dropped file 2->93 95 Multi AV Scanner detection for dropped file 2->95 97 Yara detected Nitol 2->97 99 4 other signatures 2->99 9 #U70b9#U51fb#U6b64#U5904#U5b89#U88c5#U4e2d#U6587#U8bed#U8a00#U5305.exe 4 2->9         started        12 iusb3mon.exe 2->12         started        15 upx.exe 2->15         started        18 2 other processes 2->18 process3 dnsIp4 85 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 9->85 dropped 87 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 9->87 dropped 20 irsetup.exe 12 9->20         started        109 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->109 111 Tries to detect virtualization through RDTSC time measurements 12->111 113 Hides threads from debuggers 12->113 91 192.168.2.1 unknown unknown 15->91 24 conhost.exe 15->24         started        26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        file5 signatures6 process7 file8 77 C:\ProgramData\data\upx.exe, PE32 20->77 dropped 101 Drops executables to the windows directory (C:\Windows) and starts them 20->101 30 WindowsNT.exe 20->30         started        33 WindowsNT.exe 3 1 20->33         started        36 upx.exe 3 20->36         started        signatures9 process10 dnsIp11 115 Antivirus detection for dropped file 30->115 117 Multi AV Scanner detection for dropped file 30->117 119 Detected unpacking (changes PE section rights) 30->119 123 4 other signatures 30->123 39 cmd.exe 2 30->39         started        42 cmd.exe 1 30->42         started        44 cmd.exe 1 30->44         started        54 4 other processes 30->54 89 65.20.74.5, 36060, 49766 CP-ASDE United States 33->89 121 Hides threads from debuggers 33->121 46 cmd.exe 1 33->46         started        48 cmd.exe 1 33->48         started        50 cmd.exe 1 33->50         started        56 19 other processes 33->56 79 C:\WindowsNT\WindowsNT.exe, PE32 36->79 dropped 52 conhost.exe 36->52         started        file12 signatures13 process14 file15 103 Uses cmd line tools excessively to alter registry or file data 39->103 105 Uses schtasks.exe or at.exe to add and modify task schedules 39->105 107 Uses netsh to modify the Windows network and firewall settings 39->107 59 conhost.exe 39->59         started        63 2 other processes 42->63 65 2 other processes 44->65 67 2 other processes 46->67 69 2 other processes 48->69 71 2 other processes 50->71 61 conhost.exe 54->61         started        73 2 other processes 54->73 81 C:\ProgramData\Program\iusb3mon.exe, PE32 56->81 dropped 83 C:\ProgramData\ProgrambehaviorgraphLUT32.dll, PE32 56->83 dropped 75 30 other processes 56->75 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/827349ef926486d692dec5158ac66fcc27ec6f628f759f1cb23814f50f93ab88/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjzut34smsdnnew6yukyvrtpzqt6y33cr52z6hfshakpkd4tvoea._file
Verdict:
unknown
Similar samples:
0e3e35413de5649d66d3ae80a50c0d441f906343b0261b755a8cb72cd3e5efa2
Gh0stRAT
1c60192be3d193617aadd61be5be552a5b24e46e50492b04eb889ed1f6fbd81d
Gh0stRAT
47c57530b5b6de027182a6e4fed09bdae9e57cebc090fb52ce948d72e75ca663
Gh0stRAT
4e825059cdc8c2116ff7737eead0e6482a2cbf0a5790deadd89202a4058765bd
Gh0stRAT
725f81ee466371300ed43441bc35239089dd5283b8831193699b091fb2ad928c
Gh0stRAT
86e69b16379a3aa41a658af413ea71364341da11e2f7d724dcefeac6eaa504ec
Gh0stRAT
94b06e33dfece175f9a41ecf6e1ae4aefbe23ec591e8302eeadf8bbe26f23354
Gh0stRAT
9aa78623c847c8344516bc815b9c055db994d9ee28c59a0102e1024b9706dbce
Gh0stRAT
d3c87bbd2121958c5beb20738999cf1d6938237d92fd98d19ba0bda2effde25a
Gh0stRAT
fb6eae45c38c680a2580247feed29592f40ab479339244c58b7f3397e773fbcd
Gh0stRAT
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220522-gxledsgha7/
Unpacked files
SH256 hash:
e468da2a31a897416441ae2d2e99a0664d989940fd8bbdf3c774e1b6088a3ffb
MD5 hash:
1eb23720a1686b62169eacee8bb64fb2
SHA1 hash:
81a21c2bdbda7e49a9187415ff9a024a2dfb7f76
Link:
https://www.unpac.me/results/5e6d906c-18db-4964-a55e-53d9ff3a089c/
SH256 hash:
55afec20feec6d827e210ddf325655d4e580cb63964d94fe58edbfee4eae4111
MD5 hash:
ecc8d86bf4d96a38eb41ae50fc71e67a
SHA1 hash:
45b827212e8a04b6e89c041b3e570c61dd1b3305
Link:
https://www.unpac.me/results/5e6d906c-18db-4964-a55e-53d9ff3a089c/
SH256 hash:
02ce69a49442f00cf1cced9968fbeb5e645801efe7c19ab1362fdde14cb0c471
MD5 hash:
1d1b29a06415705a56ed2eebd4a3ecbe
SHA1 hash:
4cfaf4a806238d62a92b5b24ea5093c91d2dfe9a
Link:
https://www.unpac.me/results/5e6d906c-18db-4964-a55e-53d9ff3a089c/
SH256 hash:
131b5f5e179e8e4ef4252616e0372184db70bc3a5095ae7902698ec2095048ef
MD5 hash:
2d2ae412ba2048089cdd0864b79b7f8c
SHA1 hash:
19a4878e62b4b5ba860166d106c5c8a45e4e2055
Link:
https://www.unpac.me/results/5e6d906c-18db-4964-a55e-53d9ff3a089c/
SH256 hash:
827349ef926486d692dec5158ac66fcc27ec6f628f759f1cb23814f50f93ab88
MD5 hash:
9be6a8af4623f84a939cfc2fe9ba98b8
SHA1 hash:
f26f2d8f14aee6b2f383de9a6554274d9246cd7e
Link:
https://www.unpac.me/results/5e6d906c-18db-4964-a55e-53d9ff3a089c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/827349ef926486d692dec5158ac66fcc27ec6f628f759f1cb23814f50f93ab88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273389/

Comments