MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b6eb3aac560528cabc96363f81df8595b15db7a9ae20b1486b8fff6ebfbaa7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b6eb3aac560528cabc96363f81df8595b15db7a9ae20b1486b8fff6ebfbaa7a
SHA3-384 hash: 73e35d4cf965104a1e9c0df9584994522bd3abb9ce23b9c46863c87032e15bdbc513cd6cf4285a100fad31c358b1918f
SHA1 hash: 4d8011b7696697566eb852de579e7300ac87dfb6
MD5 hash: b0957cb160f90240206a4d1fa3013230
humanhash: may-chicken-mexico-winter
File name:wda_86.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:111'104 bytes
First seen:2024-06-21 18:37:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8bf08fa843a9ec1ce10d80fbf550c26 (87 x ValleyRAT, 1 x Gh0stRAT)
ssdeep 3072:ybWjdIPbcia0NFtwwnILn3py6D268XEPKI2:ybWjMbcCtwwnchx1y
TLSH T1C9B37B2172A0C072C093253199F9EBB25E7EF93117B844CBB7E416BA5F603C16A7539B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter mautshim
Tags:exe Gh0stRAT SilverFox ValleyRAT winos

Intelligence

File Origin
# of uploads :
1
# of downloads :
404
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8b6eb3aac560528cabc96363f81df8595b15db7a9ae20b1486b8fff6ebfbaa7a.exe
Verdict:
Malicious activity
Analysis date:
2024-06-21 18:38:04 UTC
Tags:
silverfox backdoor
Link:
https://app.any.run/tasks/14246836-d4c2-4f14-a216-9f6f1cd37a43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Fragtor-10028386-0
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6675c88c0591661c2a1fa6d7win7simulatehigh_evasion
Tags:
Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
Creating a window
Creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan.Farfli
Link:
https://www.hybrid-analysis.com/sample/8b6eb3aac560528cabc96363f81df8595b15db7a9ae20b1486b8fff6ebfbaa7a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
APT27
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5acf0fb7-56d2-48f2-a51b-5d5db167589c
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1460890
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Suspect Svchost Activity
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8b6eb3aac560528cabc96363f81df8595b15db7a9ae20b1486b8fff6ebfbaa7a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b6eb3aac560528cabc96363f81df8595b15db7a9ae20b1486b8fff6ebfbaa7a/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2024-06-21 18:38:04 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnxlhkwfmbjizk6jmnr7qhpylfnrlw32tlrawfegxd77n273vj5a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240621-w92dpstbrr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/38bf7813-90e2-4988-9344-747f5ac584a4
Unpacked files
SH256 hash:
8b6eb3aac560528cabc96363f81df8595b15db7a9ae20b1486b8fff6ebfbaa7a
MD5 hash:
b0957cb160f90240206a4d1fa3013230
SHA1 hash:
4d8011b7696697566eb852de579e7300ac87dfb6
Detections:
win_zhmimikatz_auto
Create hunting rule
Link:
https://www.unpac.me/results/53abdf4c-99ff-4c77-a8db-6fe7a96597d4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b6eb3aac560/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b6eb3aac560528cabc96363f81df8595b15db7a9ae20b1486b8fff6ebfbaa7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 8b6eb3aac560528cabc96363f81df8595b15db7a9ae20b1486b8fff6ebfbaa7a

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAEnumNetworkEvents
WS2_32.dll::WSAEventSelect
WS2_32.dll::WSAIoctl
WS2_32.dll::WSAResetEvent
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW

Comments