MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3
SHA3-384 hash: b34094995922c29d2d3d29cfe99c726986678337c22b6ca5f2fe419ee9da84a49fdd9043a48ed2d5178fa881d7422243
SHA1 hash: a7f391b7209f6159349a33348816d638e7809ee0
MD5 hash: 623d28815c85957bafdd79395e2227c9
humanhash: sixteen-violet-fruit-pasta
File name:623d28815c85957bafdd79395e2227c9
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'242'112 bytes
First seen:2023-12-31 12:07:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash de6942886ea1706308de6a5dc748b51c (8 x Gh0stRAT)
ssdeep 12288:zcWl26g/UBlRn5DzZ3TTP+5WkOVHK/H7sx117ksgSh20RUTMkzVSleJHcT/rBMSb:gWgHN8kSszVSlMHcTDBMGr9chBMuk
Threatray 45 similar samples on MalwareBazaar
TLSH T18A4559691BAB4256DB553BB9C8B6929409190F531F28C4B16E310D1EBD2724FFC23EBC
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Killmbr-9972958-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
farfli packed virus
Link:
https://www.filescan.io/uploads/659159a47d4bdb7f8b018c1c/reports/9cef68cf-0b8b-42d3-8d2b-186cad2d7274/overview
Verdict:
Malicious
Labled as:
DeepScan:Generic.KillMBR.A
Link:
https://www.hybrid-analysis.com/sample/83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d32bbb7-37e9-419f-af02-4d91a7e0ce38
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368377
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify clipboard data
Contains functionality to modify windows services which are used for security filtering and protection
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2023-12-26 12:36:48 UTC
File Type:
PE (Exe)
AV detection:
32 of 36 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qm4v7z7rch5nc3i2nhw7jhoquuvtiaezgd2xizrrwhzebxcu4tzq._file
Verdict:
malicious
Similar samples:
1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825
Gh0stRAT
20f4b006007defc2e71a4a3bc6ffe0cdbb5ed6f34c4e15e95d85a7cb60a76286
Gh0stRAT
4e90491d7bfcb50079a2fc9795b8ae9c4bd9ee5b26913b075ea248f953c6b910
Gh0stRAT
71a0f84fc97d3ea8ecdc9dc19e058fe994e3cecf826f3db462c4995d8ee6dacb
Gh0stRAT
7d147fa016e7218fcf60c76d2688a100e83fbb580f3c954d55e08d2c7b0b5a14
Gh0stRAT
83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3
Gh0stRAT
a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf
Gh0stRAT
d46dbbb40bf11bda9b1aa74d9d2550a73ab0ae6008270c2c541153cd4974a3dd
Gh0stRAT
+ 35 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox rat rootkit trojan
Link:
https://tria.ge/reports/231231-pawkvadefn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Enumerates connected drives
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
838e034e27aa37c05bc9df1ec553990ee64afbe6adffa03a6f3decb730a2caca
MD5 hash:
c05674d936917dc6989f44ffdba28a24
SHA1 hash:
6ddbb07cd66f86ed937a1c7938fae4ec6c354950
Detections:
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
Hidden
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
MALWARE_Win_Zegost
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/02b4811a-c18c-4828-b606-2e7018c6be17/
Parent samples :
83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3
eaa840e393c8f8a3bdcd865ea6eff59f586e14bd9c3518d88098062056964281
40e261e7bffce05b06dc3d6feaa430d310ec8bde473e1136255965b8aa28f925
5e4f250d0488ca67cd13e2e8c50eba3f8b6da8b99095a561378eab18bcd4a4a0
68abafd00ce80bf87b40ac64359794d75bedc8799e787511e6bd20f6a88295d2
SH256 hash:
83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3
MD5 hash:
623d28815c85957bafdd79395e2227c9
SHA1 hash:
a7f391b7209f6159349a33348816d638e7809ee0
Link:
https://www.unpac.me/results/02b4811a-c18c-4828-b606-2e7018c6be17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Create hunting rule
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 83395fe7f111fad16d1a69edf49dd0a52b34009930f5746631b1f240dc54e4f3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745549/

Comments


Avatar
zbet commented on 2023-12-31 12:07:13 UTC

url : hxxp://154.39.239.56/mm.txt