MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 970af7bb894f41469d03cf0961601dd32fc22d7c6e8174ed0fafe41960fe7c04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 970af7bb894f41469d03cf0961601dd32fc22d7c6e8174ed0fafe41960fe7c04
SHA3-384 hash: 222cc8f3fdb6cd62507b88474f1acca37c09aedf94e6fa331e0b32d49f94ced0d3f6e7fdf36208ebe01bebdaff39a36e
SHA1 hash: 75f78a2c8854a66b740fe0066ac2c3ee8525dc59
MD5 hash: cd2451d0362ca97fde7bae24b22a7997
humanhash: bacon-nebraska-skylark-robin
File name:软件包1.0.1.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:132'704 bytes
First seen:2025-02-14 02:15:50 UTC
Last seen:2025-02-14 03:47:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 349e06594510a22d209e9fa5ce846957 (1 x Gh0stRAT)
ssdeep 3072:UykF1N4Nl+x+9Oue6DWZqizyrXfUw9cC6x1yssQ:3k3N4NK+9w6D+9CfvcDHVj
TLSH T13CD38C8A77A410F9D06BD178C882A7CAE772B405DB3267CF57688296EF236D10D3E351
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter kafan_shengui
Tags:exe Gh0stRAT SilverFox ValleyRAT winos

Intelligence

File Origin
# of uploads :
2
# of downloads :
520
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
软件包1.0.1.exe
Verdict:
No threats detected
Analysis date:
2025-02-14 02:19:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/041035f0-614a-418d-b8e4-b42edcc3d8f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.23344.7670.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67aea777a0fd713c335ac8c0
Tags:
shellcode virus agent
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/970af7bb894f41469d03cf0961601dd32fc22d7c6e8174ed0fafe41960fe7c04
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d5b1244f-abd3-455a-9d37-aef92c44d166
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614758
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Sample is not signed and drops a device driver
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614758 Sample: #U8f6f#U4ef6#U53051.0.1.exe Startdate: 14/02/2025 Architecture: WINDOWS Score: 100 83 vien3h.oss-cn-beijing.aliyuncs.com 2->83 85 sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com 2->85 87 5 other IPs or domains 2->87 95 Suricata IDS alerts for network traffic 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for dropped file 2->99 101 9 other signatures 2->101 9 ujOF6g.exe 36 2->9         started        14 #U8f6f#U4ef6#U53051.0.1.exe 1 24 2->14         started        16 ujOF6g.exe 2->16         started        18 14 other processes 2->18 signatures3 process4 dnsIp5 91 sc-29j7.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com 118.178.60.9, 443, 49983, 49984 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 9->91 67 C:\Program Files (x86)\pOOohG\tbcore3U.dll, PE32 9->67 dropped 69 C:\Program Files (x86)\pOOohG\pOOohG.exe, PE32 9->69 dropped 71 C:\Program Files (x86)\1EbB7a\tbcore3U.dll, PE32 9->71 dropped 79 13 other malicious files 9->79 dropped 113 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->113 115 Found direct / indirect Syscall (likely to bypass EDR) 9->115 20 1EbB7a.exe 4 5 9->20         started        25 cmd.exe 1 9->25         started        27 pOOohG.exe 9->27         started        35 3 other processes 9->35 93 sc-21tm.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com 39.103.20.21, 443, 49704, 49705 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 14->93 73 C:\Windows\System32\drivers\189atohci.sys, PE32+ 14->73 dropped 75 C:\Users\user\Documents\vselog.dll, PE32+ 14->75 dropped 77 C:\Users\user\Documents\ujOF6g.exe, PE32+ 14->77 dropped 81 4 other malicious files 14->81 dropped 117 Drops PE files to the document folder of the user 14->117 119 Sample is not signed and drops a device driver 14->119 121 Writes many files with high entropy 14->121 123 Tries to detect virtualization through RDTSC time measurements 16->123 125 Uses cmd line tools excessively to alter registry or file data 18->125 29 reg.exe 1 1 18->29         started        31 reg.exe 1 1 18->31         started        33 reg.exe 1 1 18->33         started        37 5 other processes 18->37 file6 signatures7 process8 dnsIp9 89 103.106.191.3, 49992, 8200 TELECOM-HKHongKongTelecomGlobalDataCentreHK China 20->89 59 C:\Program Files (x86)\...\tbcore3U.dll, PE32 20->59 dropped 61 C:\Program Files (x86)\...\FQZFh2tt.exe, PE32 20->61 dropped 63 C:\Program Files (x86)\...\utils.vcxproj, JPEG 20->63 dropped 65 C:\Program Files (x86)\miHG6T3qO\log.src, PNG 20->65 dropped 103 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->103 105 Creates an undocumented autostart registry key 20->105 39 cmd.exe 20->39         started        107 Uses cmd line tools excessively to alter registry or file data 25->107 109 Uses schtasks.exe or at.exe to add and modify task schedules 25->109 41 conhost.exe 25->41         started        43 schtasks.exe 1 25->43         started        45 schtasks.exe 1 25->45         started        47 schtasks.exe 1 25->47         started        111 Adds extensions / path to Windows Defender exclusion list (Registry) 29->111 49 conhost.exe 35->49         started        51 conhost.exe 35->51         started        53 conhost.exe 35->53         started        55 9 other processes 35->55 file10 signatures11 process12 process13 57 conhost.exe 39->57         started       
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/970af7bb894f41469d03cf0961601dd32fc22d7c6e8174ed0fafe41960fe7c04
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/970af7bb894f41469d03cf0961601dd32fc22d7c6e8174ed0fafe41960fe7c04/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-14 06:49:00 UTC
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s4fppo4jj5aunhidz4ewcya52mx4ell4n2axj3ipv7sbsyh6pqca._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250214-cp8gqsynhp/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
ta_abused_service
YARA:
n/a
Link:
https://app.threat.zone/submission/87b4d92c-4807-47bc-a80c-9135c3320ba3
Unpacked files
SH256 hash:
970af7bb894f41469d03cf0961601dd32fc22d7c6e8174ed0fafe41960fe7c04
MD5 hash:
cd2451d0362ca97fde7bae24b22a7997
SHA1 hash:
75f78a2c8854a66b740fe0066ac2c3ee8525dc59
Link:
https://www.unpac.me/results/76758b0d-35ca-439e-b015-465d8c1dd64e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::DeleteFileW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW

Comments