MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98
SHA3-384 hash: cc6dd60d45165decd8e67807d8f8fcc0c47658a9a3f27d180e8ee27bc47899735633b6efbebe4e6703d2f1221d8ce3ea
SHA1 hash: fa30a3f87931ee2eeadf8dfe0a612105e1392257
MD5 hash: 5d32587e7d8a3e5079216e6e26796f62
humanhash: eight-lemon-fourteen-maine
File name:Launcher.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:3'016'127 bytes
First seen:2022-12-16 13:09:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d13d399db15c51a1337d692663151209 (3 x Gh0stRAT, 1 x Zegost)
ssdeep 49152:mizYt16TjDqWDgwfi+gF6DXuAdAzAIkBHLOjcyMiKL5L9GLcvtl12KSJmB7x:Cu+WDgwfi+VDXuAitIOIBF7vtl1ZSJs
Threatray 203 similar samples on MalwareBazaar
TLSH T127D50127E3714BBEC056C13D81A28E09A76FB87D1737C0C745828659EB59AC02F3666F
TrID 59.1% (.SCR) Windows screen saver (13097/50/3)
13.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
9.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 7b4fcc44361e14a4 (3 x Gh0stRAT, 1 x Zegost)
Reporter iamdeadlyz
Tags:45-153-241-207 exe FakeGaliXCity Gh0stRAT SpaceCity


Avatar
Iamdeadlyz
From spacecity.games (impersonation of galixcity.io)
Gh0stRAT C&C: 45.153.241.207:1016

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Launcher.exe
Verdict:
Malicious activity
Analysis date:
2022-12-16 13:11:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4b47538-de44-42a1-a1bd-0efa71ffcd8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346988/
Detection(s):
SecuriteInfo.com.OpCloudHopper_Malware_3.172.6304.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/52752/overview
Behaviour
MalwareBazaar
LanguageCheck
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe overlay packed
Link:
https://www.filescan.io/uploads/639c6e2b24e22b2a3294bb59/reports/4420cc46-7425-4440-ad9b-42907dfc7b41/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1e312e30-85db-4133-adbd-265b86e65fed
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1135694
Signature
Malicious sample detected (through community Yara rule)
Yara detected Obfuscated Powershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 768424 Sample: Launcher.exe Startdate: 16/12/2022 Architecture: WINDOWS Score: 52 18 Malicious sample detected (through community Yara rule) 2->18 20 Yara detected Obfuscated Powershell 2->20 7 Launcher.exe 3 2->7         started        process3 file4 14 C:\Users\user\AppData\Local\...\0PI33UWF.bat, ASCII 7->14 dropped 16 C:\Users\user\...\dingtalk_downloader.exe, PE32 7->16 dropped 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=srmf6w2s4lijgjamzpj45attpbgvvirdalae6vx5ioytf7rq5kma._file
Verdict:
unknown
Similar samples:
0331c7bca665f36513377fc301cbb32822ff35f92511579d699613f0bb624802
Gh0stRAT
12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d
Gh0stRAT
23fcbffb6a6eac85e59c0c52280ea7fa6a5859fd8f362aa91a1a3e11f6352a88
Gh0stRAT
273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735
Gh0stRAT
4d34fa5e98a0ad7ddf5604a31286b984c8e368a67b05f979dfd6c824481bbe5f
Gh0stRAT
7ceb6d9e04042cd53b9c374e69cbf22e05edff6571a01610b844963d881e1057
Gh0stRAT
7e3d9139f86c0df6845784349667de273940b6f47edf998a7c41fe913054cb59
Gh0stRAT
8d7e3a7ac66630ee4d2a9041dbb6cb6b10ea07e1f8ac32426489fed7ecc7d4f9
Gh0stRAT
a0adb7d7f0a24b3882b1a9c4ce48c4ab23de093845dc6e949d6d036a64a33762
Gh0stRAT
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
Gh0stRAT
+ 193 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221216-qectzaeg37/
Behaviour
Suspicious use of WriteProcessMemory
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c1c33ce3-31eb-4ff2-bc66-c107e1f5f135
Unpacked files
SH256 hash:
94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98
MD5 hash:
5d32587e7d8a3e5079216e6e26796f62
SHA1 hash:
fa30a3f87931ee2eeadf8dfe0a612105e1392257
Link:
https://www.unpac.me/results/14a04ecd-312a-430c-a3d8-316b5be98a2f/
Malware family:
APT10
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94585f5b52e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98

(this sample)

Gh0stRAT

Executable exe 78be65f626e4a9e81c655b36c96dacc8898287d4954cbffd98788e602369f8ca

Zegost

Batch (bat) bat 4b54c89098e15626111186a43a379adc9efb567364b4dd7b82a24e4f4d6bf311

  
Dropping
SHA256 4b54c89098e15626111186a43a379adc9efb567364b4dd7b82a24e4f4d6bf311
  
Dropping
SHA256 78be65f626e4a9e81c655b36c96dacc8898287d4954cbffd98788e602369f8ca
  
Dropping
SHA256 1041962780029fab7ba54ab21c49185c8f105f774f3e75286dd6f83f27a6a587
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/346988/
  
URLhaus
https://urlhaus.abuse.ch/url/2466673/
  
Dropping
MD5 76b2cf113b647afabe881c5b1a76dc1f
  
Dropping
MD5 77754f75888b235231a26cc363ba1bc5
  
Dropping
MD5 912005f12dd46262bfbac355d30c873c

Comments