MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d8de2dbae6460fda8a7dae85b6dde85cb511cf57462449b2120b4652340fbec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d8de2dbae6460fda8a7dae85b6dde85cb511cf57462449b2120b4652340fbec
SHA3-384 hash: 527b3e0d88d1ad67f66d0c2ccda391ce91bed0328acfe8f11bdbf48c79279db268c3c558de3a07b784d663b781d2ab35
SHA1 hash: 5651ff0aaa3488186bae6abebb667470f7ad8772
MD5 hash: c7f46191959054a2cc3ea3cff5db657d
humanhash: jupiter-friend-robert-one
File name:c7f46191959054a2cc3ea3cff5db657d.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:2'079'921 bytes
First seen:2022-05-22 00:46:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 575ea90c069471216fa3adaba586119e (5 x Gh0stRAT, 2 x QuasarRAT, 1 x DarkComet)
ssdeep 49152:B/Binf9oJwEPqRCI8i5IWPfrBsGePLiqYa0GP27hi:vJwEPqMjWPDWGePLiq3P2Ni
Threatray 6 similar samples on MalwareBazaar
TLSH T19EA5332C29A50A6FFCA594F45016B78F0BC59DF7F1F851CF1288B62E74F429635603A2
TrID 35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ccccccc8ee8a0c04 (1 x Gh0stRAT)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
110.249.156.50:9522

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
110.249.156.50:9522 https://threatfox.abuse.ch/ioc/624239/

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7f46191959054a2cc3ea3cff5db657d.exe
Verdict:
Malicious activity
Analysis date:
2022-05-22 01:05:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c7223fd-a873-4598-80cf-5107f0867df3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PcClient
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273369/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Launching a service
Creating a file in the Windows subdirectories
Loading a system driver
Enabling autorun for a service
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19470/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerber crypter hupigon packed ramnit
Link:
https://www.filescan.io/uploads/6289880aeba388bb867f1b30/reports/5e17e003-dfe6-479e-802f-a17ae2f927e6/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/efa9145b-1533-4f22-a742-3b1fac6cd14b
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994777
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 627269 Sample: GIW-P2024.exe Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for dropped file 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 5 other signatures 2->43 6 GIW-P2024.exe 10 2->6         started        9 svchost.exe 1 2->9         started        13 svchost.exe 9 1 2->13         started        15 6 other processes 2->15 process3 dnsIp4 27 C:\Users\user\AppData\Local\Temp\...\sql.exe, PE32 6->27 dropped 29 C:\Users\user\AppData\Local\Temp\...\a1.exe, PE32 6->29 dropped 17 sql.exe 2 5 6->17         started        21 a1.exe 6->21         started        31 110.249.156.50, 9522 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 9->31 53 System process connects to network (likely due to code injection or exploit) 9->53 55 Found stalling execution ending in API Sleep call 9->55 57 Contains functionality to detect sleep reduction / modifications 9->57 33 127.0.0.1 unknown unknown 13->33 35 192.168.2.1 unknown unknown 15->35 file5 signatures6 process7 file8 23 C:\Windows\FileName.jpg, PE32 17->23 dropped 25 C:\706200.dll, PE32 17->25 dropped 45 Antivirus detection for dropped file 17->45 47 Multi AV Scanner detection for dropped file 17->47 49 Machine Learning detection for dropped file 17->49 51 Contains functionality to detect sleep reduction / modifications 17->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d8de2dbae6460fda8a7dae85b6dde85cb511cf57462449b2120b4652340fbec/
Threat name:
Win32.Dropper.Aicat
Create hunting rule
Status:
Malicious
First seen:
2022-05-10 11:18:44 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
38 of 41 (92.68%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwg6fw5omrqp3kfh3lufw3o6qxfvchhvorrejgzbec2gki2a7pwa._file
Verdict:
malicious
Similar samples:
7e517ca276ec74474e8e32475e762aebc320fbe5e68f3bbdbc925c20ec3bf128
Gh0stRAT
a3b7929d37805fa49dda5200049f664f38c6832fcc8d9d58f4afb7d7906a2d23
Gh0stRAT
a7a9d11f1cfcd60a6548d3f5033f0d621a0c383e4d02af3e2782af0eab8085e7
Gh0stRAT
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat rat suricata upx
Link:
https://tria.ge/reports/220522-a5dk7aecb6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Gh0st RAT payload
Gh0strat
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
suricata: ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
suricata: ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
Unpacked files
SH256 hash:
35b0e80adef586582074047880f6c5b9eee42eca4f1f80829c4af990713cc4c1
MD5 hash:
70425beba7cbbd3128858b56bc5b8acf
SHA1 hash:
dd7c7723a942803aab70cdc6898086acf1f93a95
Link:
https://www.unpac.me/results/b5040bc1-c27e-41b5-9d90-9b0198c320cd/
SH256 hash:
4660dc17d60bad9e98c45cbba6dbb552c81b4f29bacaa76ffcbe6280b3641595
MD5 hash:
9d8306bb5ae4ae1c8790a654b9103517
SHA1 hash:
4dfcd453c4805c0b6df467812249fbecb0cc1cdc
Link:
https://www.unpac.me/results/b5040bc1-c27e-41b5-9d90-9b0198c320cd/
SH256 hash:
8ad7aee06e138580471b60b0f88c3b50e507e4137c98b8efd797cbc50b25189b
MD5 hash:
59c7ea6064ef9397d3d2e7c97f0f4ae0
SHA1 hash:
5f66ccd40d082e5c5ec13ea0378ff43b1cc7cd54
Link:
https://www.unpac.me/results/b5040bc1-c27e-41b5-9d90-9b0198c320cd/
SH256 hash:
e3ebd0b270bb7ec03dfed86cf3f2936334c4a6d0052f8d790bcf4060add4bd51
MD5 hash:
8231c91f6503e8f5dbc9e092591c5be0
SHA1 hash:
0c034693536c51c30642267a4b5ffc54aac4ff96
Link:
https://www.unpac.me/results/b5040bc1-c27e-41b5-9d90-9b0198c320cd/
SH256 hash:
8d8de2dbae6460fda8a7dae85b6dde85cb511cf57462449b2120b4652340fbec
MD5 hash:
c7f46191959054a2cc3ea3cff5db657d
SHA1 hash:
5651ff0aaa3488186bae6abebb667470f7ad8772
Link:
https://www.unpac.me/results/b5040bc1-c27e-41b5-9d90-9b0198c320cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
PcClient
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d8de2dbae6460fda8a7dae85b6dde85cb511cf57462449b2120b4652340fbec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273369/

Comments