MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ae634ee697187da41db972138ee0cd915387650870bf7d74f856578514a56fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	8ae634ee697187da41db972138ee0cd915387650870bf7d74f856578514a56fe
SHA3-384 hash:	1aba71d3ad18bb17ef890d64c9eafc212484dfc7352548296d72d0442018ba9f781ee1d74ad93208104be646deb9b186
SHA1 hash:	2053c3a224cb7cf323ef3b04efb92afcdb40d2de
MD5 hash:	63277cf838b5a314b20a7ed4a296a5ec
humanhash:	whiskey-dakota-oregon-indigo
File name:	8AE634EE697187DA41DB972138EE0CD915387650870BF7D74F856578514A56FE.com
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	2'727'424 bytes
First seen:	2022-05-28 13:54:12 UTC
Last seen:	2022-05-30 03:34:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a48c89d892cf85298f99cbdf47341837 (2 x Gh0stRAT)
ssdeep	49152:PfHCMqa08nD+5pawE04jsZa+eLOSHUHpIHHiTk8FKBhG+aAFodOcQvhn+AaBiB9a:3rE8nD+5zE1ia+eLOSHUHpIniA7aAFxG
Threatray	10 similar samples on MalwareBazaar
TLSH	T1D0C55B6327ECC175DB622133E529EABFD8F56530073505C3A1A25A3B9F72081FD1A29E
TrID	54.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 18.3% (.EXE) Win64 Executable (generic) (10523/12/4) 8.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.8% (.EXE) Win32 Executable (generic) (4505/5/1) 3.5% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	obfusor
Tags:	exe Gh0stRAT RAT

Intelligence

File Origin

# of uploads :

3

# of downloads :

361

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

8AE634EE697187DA41DB972138EE0CD915387650870BF7D74F856578514A56FE.com

Verdict:

No threats detected

Analysis date:

2022-05-28 13:55:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7b7f5d29-0bb1-4c3b-bf8f-ff9199055d9f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/275144/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.19730.17373.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Searching for the window

DNS request

Launching a service

Sending a UDP request

Launching a process

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe greyware keylogger packed shell32.dll

Link:

https://www.filescan.io/uploads/6292298aabd1252350840a06/reports/77b0536f-3c62-44b1-a0a6-9ec0a3a198d6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/cd2cfbe6-beac-4d00-9429-695f98e01cac

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1003178

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Gathering data

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2022-05-28 13:55:13 UTC

File Type:

PE (Exe)

Extracted files:

37

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rltdj3tjogd5uqo3s4qtr3qm3ektq5sqq4f7pv2pqvsxqukkk37a._file

Verdict:

unknown

Similar samples:

406375a48127dd65ec739eb3aff0d5e9c8cfea159d5cca23ea64ecb990789ac7

6b4855c27525029b4ae321dfc3c3a09331ffec5a7aabf724d5e97d04c9339682

a19c6e51982be4a38ee1a1e99e51043b8aa3988f40b05ec7b10bd0e96962dc66

accafbac6570976cee357e8e24306a3bfc436da82533d8d3f13b29344c6e313a

b0728becdec44adb3805d56979b209171214e70f2cc9b4e8d385eb9322290f0b

bd89f4b43df255b712bba25ff9e8fca06b42e69a623f9650ebb5fe7112131580

cfd557f37597360663528c0dec20b2a9d6a19afebd2198771fee5deef461e5ba

d3eea564009b7ebf8461fe6260105dd0a93dc3b817738837674d453ae574fcb7

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220528-q74hdsghem/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

8ae634ee697187da41db972138ee0cd915387650870bf7d74f856578514a56fe

MD5 hash:

63277cf838b5a314b20a7ed4a296a5ec

SHA1 hash:

2053c3a224cb7cf323ef3b04efb92afcdb40d2de

Link:

https://www.unpac.me/results/0eb81a90-91c6-47c4-9382-775fa479d38d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8ae634ee697187da41db972138ee0cd915387650870bf7d74f856578514a56fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/275144/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample