MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b79dcff7e5007961448d9baeb7fa7ef65c399166b5250c982084b22899466cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b79dcff7e5007961448d9baeb7fa7ef65c399166b5250c982084b22899466cb
SHA3-384 hash: 3cdd8e47bbe7928c5972c853e19b679e57ad22cc05d4db33902e88d32b618bff0cde5b4ed962a309c27d8f5fc8ef0418
SHA1 hash: 1655c29315145cbd4622c24f268245490bba069c
MD5 hash: 7448f07e20cc2a5e59ce8de6d88a3241
humanhash: jupiter-twenty-michigan-georgia
File name:8B79DCFF7E5007961448D9BAEB7FA7EF65C399166B525.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:134'753 bytes
First seen:2021-10-03 23:30:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 3072:ALk395hYXJ3kN+4EyCDgPa9tG9Xd28E/vgJ8u:AQqRkN+NyCsi9t2CvgJ8u
Threatray 8 similar samples on MalwareBazaar
TLSH T1CDD3AD9EE0415F1BC232D1BB0ADF9935BCFE43BF8E915B0737652853AB80546B02915B
File icon (PE):PE icon
dhash icon f4f4e6c6e6e6ccdc (18 x Cybergate, 5 x Gh0stRAT, 1 x Blackmoon)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
104.232.98.28:2222

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.232.98.28:2222 https://threatfox.abuse.ch/ioc/230034/

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8B79DCFF7E5007961448D9BAEB7FA7EF65C399166B525.exe
Verdict:
No threats detected
Analysis date:
2021-10-03 23:31:34 UTC
Tags:
installer
Link:
https://app.any.run/tasks/b5c4bc61-24af-4264-ad27-9cb1e9fcd58e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Gh0St
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194392/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the Windows directory
Deleting a system file
Moving a system file
Replacing system executable files
Launching a process
Creating a process with a hidden window
Connection attempt
Enabling the 'hidden' option for recently created files
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Infecting executable files
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615c2f61e3d213d202b773fc/reports/8c7fda56-7f25-40dd-9c12-80b6faf35a40/overview
Malware family:
Zegost
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7b4f282-4863-4133-91b5-66eade166683
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863554
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to enumerate network shares of other devices
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495978 Sample: 8B79DCFF7E5007961448D9BAEB7... Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 5 other signatures 2->50 7 8B79DCFF7E5007961448D9BAEB7FA7EF65C399166B525.exe 6 2->7         started        11 Ball.exe 2->11         started        13 Ball.exe 2->13         started        process3 file4 30 C:\Windows\Temp\20167616710.exe, PE32 7->30 dropped 52 Drops executables to the windows directory (C:\Windows) and starts them 7->52 15 20167616710.exe 1 8 7->15         started        54 Antivirus detection for dropped file 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 60 Contains functionality to detect sleep reduction / modifications 11->60 signatures5 process6 dnsIp7 32 104.232.98.28, 2222 HENGTONG-IDC-LLCUS United States 15->32 34 192.168.2.1, 49773, 80 unknown unknown 15->34 22 C:\Windows\Tasks\        .bat, PE32 15->22 dropped 24 C:\Windows\SysWOW64\ctfmon.exe, PE32 15->24 dropped 26 C:\Windows\Ball.exe, PE32 15->26 dropped 28 C:\WINDOWS\SysWOW64\ctfmon1.exe (copy), PE32 15->28 dropped 36 Antivirus detection for dropped file 15->36 38 Multi AV Scanner detection for dropped file 15->38 40 Contains functionality to enumerate network shares of other devices 15->40 42 7 other signatures 15->42 20 ctfmon1.exe 15->20         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b79dcff7e5007961448d9baeb7fa7ef65c399166b5250c982084b22899466cb/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2016-07-08 23:16:00 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rn45z736kadzmfci3g5ow75h55s4hgiwnnjfbsmcbbfsfcmum3fq._file
Verdict:
malicious
Similar samples:
2b0f36a54f41ddf97236593602090cfcbc4d550c6cdca08d09a483b3d5b7ba6c
Gh0stRAT
3e8dd70c08a940466b486f393409fe74e3ec39c21ff60ddf6ffb1ee7a2511ed1
Gh0stRAT
43f2dc3cf7c1a7deb7093ee23ac547e339772c3efca764d136b1d42542c34b0f
Gh0stRAT
83fbbd31e43ad25a8921c98d97b287ebc8902451f7647c2266e5f0688471e8b6
Gh0stRAT
a848fa16033d9227dc16aae2e3a96b13c8f53f9c898dd316ef541ac86ec22b1d
Gh0stRAT
b89c262b14911c4480ed00b35a53500ecabb8f9df4169f2a84c3028f468cff48
Gh0stRAT
bea67778fa9a788b8137fb623d045d2b90011f806ddc38212d9f4d877ab8d49a
Gh0stRAT
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/211003-3hpn6afghp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
26ae7f3f3393bef628b2e9841e7a6ec490871eb5cea19dc2b2fec4f7f434def3
MD5 hash:
9d0be21602ac20b7afaaacb575d24b99
SHA1 hash:
579f98d738f98859087e5c07bfd86c142bf85cce
Link:
https://www.unpac.me/results/c400a467-d8f2-48b2-a42a-513ab4fecd93/
SH256 hash:
8b79dcff7e5007961448d9baeb7fa7ef65c399166b5250c982084b22899466cb
MD5 hash:
7448f07e20cc2a5e59ce8de6d88a3241
SHA1 hash:
1655c29315145cbd4622c24f268245490bba069c
Link:
https://www.unpac.me/results/c400a467-d8f2-48b2-a42a-513ab4fecd93/
Malware family:
Gh0st RAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8b79dcff7e50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b79dcff7e5007961448d9baeb7fa7ef65c399166b5250c982084b22899466cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194392/

Comments