MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e6ab3fa1fd0a8bcef6b042cd9f0120847180ec1e57b10c28336ace670470e22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e6ab3fa1fd0a8bcef6b042cd9f0120847180ec1e57b10c28336ace670470e22
SHA3-384 hash: 6b4c22989e25ee5e79b4d031c5b669a75f5822ba5695744f4e32e44c51094fd9569beb2fbb21e580b8e51f84928d3d61
SHA1 hash: d4d148b65a1fe525527772f2f51b41e43281fe40
MD5 hash: 9b3e86fa835cd63b5887f4c51b786493
humanhash: lamp-november-tennis-two
File name:8E6AB3FA1FD0A8BCEF6B042CD9F0120847180EC1E57B1.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'241'088 bytes
First seen:2022-04-23 06:36:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d85c474c7dbd53f4ca1576d267d64927 (1 x Gh0stRAT)
ssdeep 24576:sKwHE0vnaU7jOA712v8Pb4k6Mfc7wHBMbyjxUU02cA:mk0Pa4bYvrkzfMGO+82cA
Threatray 2'097 similar samples on MalwareBazaar
TLSH T16D45CF51B5C380F6EA65213005AA2B3AEA38EF470F15AFC79374EE7C1D361E0A53715A
TrID 22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
18.9% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
11.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.3% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon 74a8e9f04460f0d2 (1 x Gh0stRAT, 1 x DBatLoader)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
144.202.74.176:2012

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
144.202.74.176:2012 https://threatfox.abuse.ch/ioc/528217/

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266033/
Detection(s):
Win.Trojan.Qqpass-7101290-0
Create hunting rule

Win.Malware.Generic-9820446-0
Create hunting rule

Win.Packed.Graybird-9853595-0
Create hunting rule

Win.Trojan.Qqpass-9882688-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Moving a file to the Windows subdirectory
Launching the process to interact with network services
DNS request
Launching a process
Launching a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/62639e93ada609b2645f41fe/reports/7e6d4ca7-a278-42f0-8e2c-736724c62fcb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5193e646-94ad-4d21-b274-c59b02bc5221
Result
Threat name:
Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981815
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to capture and log keystrokes
Contains functionality to check if the process is started with administrator privileges
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 614302 Sample: 8E6AB3FA1FD0A8BCEF6B042CD9F... Startdate: 23/04/2022 Architecture: WINDOWS Score: 100 30 www.af0575.com 2->30 32 cncert-sinkhole.net 2->32 34 asd1738402137.f3322.org 2->34 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Antivirus detection for URL or domain 2->46 48 6 other signatures 2->48 9 8E6AB3FA1FD0A8BCEF6B042CD9F0120847180EC1E57B1.exe 2 3 2->9         started        signatures3 process4 file5 24 C:\Windows\SysWOW64\yy.exe, PE32 9->24 dropped 26 C:\Users\user\Desktop\jedata.dll, PE32 9->26 dropped 50 Drops executables to the windows directory (C:\Windows) and starts them 9->50 52 Contains functionality to detect sleep reduction / modifications 9->52 13 yy.exe 2 19 9->13         started        signatures6 process7 dnsIp8 36 www.af0575.com 47.91.170.222, 2011 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 13->36 38 cncert-sinkhole.net 144.202.74.176, 2012, 49744, 49747 AS-CHOOPAUS United States 13->38 40 4 other IPs or domains 13->40 28 C:\Windows\245CE7AD\svchsot.exe (copy), PE32 13->28 dropped 54 Antivirus detection for dropped file 13->54 56 Multi AV Scanner detection for dropped file 13->56 58 Found evasive API chain (may stop execution after checking mutex) 13->58 60 7 other signatures 13->60 18 net.exe 1 13->18         started        file9 signatures10 process11 process12 20 conhost.exe 18->20         started        22 net1.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e6ab3fa1fd0a8bcef6b042cd9f0120847180ec1e57b10c28336ace670470e22/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2015-01-29 19:37:00 UTC
File Type:
PE (Exe)
Extracted files:
71
AV detection:
34 of 42 (80.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzvlh6q72culz33laqwnt4asbbdrqdwb4v5rbqudg2wom4chbyra._file
Verdict:
malicious
Similar samples:
01a38195faaf7780f0f600c6d0d6c924559a4e639312e4023ce859e874d923c3
Gh0stRAT
2f5d5ebb1081dde3e9314ebbc61466f3686361d356f881533725d6fbf0002aa8
Gh0stRAT
41ccfe90282ef9f607a6abfcce0ff6af362970d454a568fe2d214dc4c3a7b17b
Gh0stRAT
485a5454645f5d90d1b3097336b08dcaa9d4b49db9738a2f953e81081002600d
Gh0stRAT
4c6db804a366a11a3321f87543f03c45e1785fed75a1c5e21ce39b658f6bb5bd
Gh0stRAT
5bd7d5a5ab6925d21b98481b204cfaf5be9e4d09479ca517d6fa25fec49adc9f
Gh0stRAT
94b85015bb3beb57e1810aec53712b8158fa10e3a970b0ee65484be34b3073cd
Gh0stRAT
b2b465aad0a254c202bee124ff4beb540ac09ce04655f61478b5824509a1f6a2
Gh0stRAT
c2c66ec47fc9c969de74cbb8ae050243e5c51e8033811cb04bd3b975d0037d1b
Gh0stRAT
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
Gh0stRAT
+ 2'087 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220423-hdggrsaha2/
Behaviour
Checks processor information in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Unpacked files
SH256 hash:
aea24ad855a21f8203f9b1c19c6f1ffb4062241e20b01b26f7ec3d3e4996d379
MD5 hash:
859c074cd5ddd98de999524fa086151f
SHA1 hash:
cd7f2dd3e0cc0e7f7b51d809cb7d7e68b5bf5e98
Link:
https://www.unpac.me/results/73acb289-b4d3-410a-ae57-0985cfd2580b/
SH256 hash:
0c620cc09dc84c5c602e8109991101b70128c1d0b425d7e369483f751b045c4f
MD5 hash:
c520cc4eb03fea9dd78d06dda61465c1
SHA1 hash:
cb33355b7c9b729e4aff387bf4c464d2009e1313
Link:
https://www.unpac.me/results/73acb289-b4d3-410a-ae57-0985cfd2580b/
SH256 hash:
93e65d12f3c4c3a92fce8870b22a5841b5aae141eafa49852f8529e56e5e22b8
MD5 hash:
21cede4e4e32700793cac2cb3d9c4882
SHA1 hash:
467825dc56b8b685383eabafaa7cc7ce6ff1f88c
Link:
https://www.unpac.me/results/73acb289-b4d3-410a-ae57-0985cfd2580b/
SH256 hash:
8e6ab3fa1fd0a8bcef6b042cd9f0120847180ec1e57b10c28336ace670470e22
MD5 hash:
9b3e86fa835cd63b5887f4c51b786493
SHA1 hash:
d4d148b65a1fe525527772f2f51b41e43281fe40
Link:
https://www.unpac.me/results/73acb289-b4d3-410a-ae57-0985cfd2580b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e6ab3fa1fd0a8bcef6b042cd9f0120847180ec1e57b10c28336ace670470e22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Gen_Net_LocalGroup_Administrators_Add_Command
Create hunting rule
Author:Florian Roth
Description:Detects an executable that contains a command to add a user account to the local administrators group
Reference:Internal Research
Rule name:Gen_Net_LocalGroup_Administrators_Add_Command_RID38C1
Create hunting rule
Author:Florian Roth
Description:Detects an executable that contains a command to add a user account to the local administrators group
Reference:Internal Research
Rule name:GhostDragon_Gh0stRAT
Create hunting rule
Author:Florian Roth
Description:Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:https://blog.cylance.com/the-ghost-dragon
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination manipulating RDP / Terminal Services
Rule name:myGozi
Create hunting rule
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266033/

Comments