MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b4d93af831e8015390e408e5d3ca39ea69287ed500fdea41457a652a0eb336f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b4d93af831e8015390e408e5d3ca39ea69287ed500fdea41457a652a0eb336f
SHA3-384 hash: da4c2c07acbe5808d065dbcf90a4f7e83a524d0534c4dbfbf89dc10480d3085de00a72a41f209f14beee841610ebd9b8
SHA1 hash: 7134ed6a7259a062374e8689e8524fd2d9e46a05
MD5 hash: e6ef8b625cb7c23b6a54df9a255641dc
humanhash: west-orange-lithium-nuts
File name:GAPI32.dll
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:250'880 bytes
First seen:2022-05-28 15:08:21 UTC
Last seen:2022-05-28 15:38:32 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3025522a76a1746e43e19b538461887f (1 x Gh0stRAT)
ssdeep 6144:0oiQjfaEuBfJUTUil/4sPadcpKOeOE8ZLIDZ+A/mbVF:7fjCloUs5adcpX3lIDZz
Threatray 7 similar samples on MalwareBazaar
TLSH T116342371A52F5662C67F83F6DBF945AD7D1520BC4A85C33CB6BBE83B31865C289B0480
TrID 35.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter obfusor
Tags:dll Gh0stRAT Shellcode

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275152/
Detection(s):
PUA.Win.Packer.UpxProtector-1
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/62923ae76eb3ff326338afb4/reports/65aa67db-6a41-4fb1-97d6-05ba64ddba56/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af0c1a2d-9c11-42ad-bcab-f8f91b1749b4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1003170
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635664 Sample: GAPI32.dll Startdate: 29/05/2022 Architecture: WINDOWS Score: 56 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for sample 2->26 7 loaddll32.exe 1 2->7         started        9 rundll32.exe 2->9         started        11 rundll32.exe 2->11         started        process3 process4 13 rundll32.exe 1 7->13         started        16 cmd.exe 1 7->16         started        18 rundll32.exe 7->18         started        20 6 other processes 7->20 signatures5 28 Creates an autostart registry key pointing to binary in C:\Windows 13->28 22 rundll32.exe 16->22         started        process6
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-27 19:09:00 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rngzhl4dd2abkoioichf2pfdt2tjfb7nkah55jauk6tffihlgnxq._file
Verdict:
malicious
Similar samples:
406375a48127dd65ec739eb3aff0d5e9c8cfea159d5cca23ea64ecb990789ac7
Gh0stRAT
6b4855c27525029b4ae321dfc3c3a09331ffec5a7aabf724d5e97d04c9339682
Gh0stRAT
b0728becdec44adb3805d56979b209171214e70f2cc9b4e8d385eb9322290f0b
Gh0stRAT
bd89f4b43df255b712bba25ff9e8fca06b42e69a623f9650ebb5fe7112131580
Gh0stRAT
d066a84aa7198a0e30c6e655386ae8f000c024e468a3a99aad1b70e098ff53bd
Gh0stRAT
d3eea564009b7ebf8461fe6260105dd0a93dc3b817738837674d453ae574fcb7
Gh0stRAT
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220528-sjfgrschd6/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
fdaeb4e1a71cb3b70830d4d567368d18e6f9ba6ca8296ae667460c6a1985fc75
MD5 hash:
15ffceae34948372a5ec9614e67f15bb
SHA1 hash:
8ae033f37fb3e93a85daeda84e17485398d10b4b
Link:
https://www.unpac.me/results/27cf2fe4-991f-4eb3-ae0d-24a7a829f3d0/
SH256 hash:
8b4d93af831e8015390e408e5d3ca39ea69287ed500fdea41457a652a0eb336f
MD5 hash:
e6ef8b625cb7c23b6a54df9a255641dc
SHA1 hash:
7134ed6a7259a062374e8689e8524fd2d9e46a05
Link:
https://www.unpac.me/results/27cf2fe4-991f-4eb3-ae0d-24a7a829f3d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8b4d93af831e8015390e408e5d3ca39ea69287ed500fdea41457a652a0eb336f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275152/

Comments