MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9793003669bcb9826d31c8dbb1c2d51097f661540d01ff8fffeb30ae1332a3c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9793003669bcb9826d31c8dbb1c2d51097f661540d01ff8fffeb30ae1332a3c0
SHA3-384 hash: 44eff24d22f78bff59776a16c4f40ba3e7d6128a9314bd6d8dfc71db60e43fb1352080a2c683270432d1cbe84408a14f
SHA1 hash: 6cb2de3ac7ec7efc7e8483ecf0e015b9c2819421
MD5 hash: 40ac2a5a4ea898a9b4b7009062c63b15
humanhash: tennis-wolfram-cola-six
File name:40ac2a5a4ea898a9b4b7009062c63b15.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'703'936 bytes
First seen:2023-04-21 15:36:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd76b3076b91210691a3c5566d2a3ea1 (1 x Gh0stRAT)
ssdeep 24576:ErJ+YtE0c1dxUnh+rgERYIeUUVJH7pbFnGIvaBnpL:+tY1e+rzRYjUUZ
Threatray 94 similar samples on MalwareBazaar
TLSH T192752051F6FFE96FE03666B08829214AB3571256B1A33CE85D6C4DE25C332B47D92C0B
TrID 32.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.7% (.SCR) Windows screen saver (13097/50/3)
11.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon d4c4ccf0e8f0d4d4 (2 x Gh0stRAT)
Reporter abuse_ch
Tags:exe Gh0stRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
40ac2a5a4ea898a9b4b7009062c63b15.exe
Verdict:
Malicious activity
Analysis date:
2023-04-21 15:38:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/265f7b4e-89ee-4412-b39f-55b3a4df2327

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Zegost
Create hunting rule
Link:
https://www.capesandbox.com/analysis/383985/
Detection(s):
SecuriteInfo.com.Variant.Jaik.141386.23190.2956.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Searching for the window
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80783/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CursorPosition
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug greyware keylogger packed shell32.dll
Link:
https://www.filescan.io/uploads/6442ada07ee5da80cfdfff78/reports/4ecdf1c0-f637-476e-9494-c212d2540221/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9793003669bcb9826d31c8dbb1c2d51097f661540d01ff8fffeb30ae1332a3c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4df39849-1768-4103-b2ae-f77d66debc07
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218756
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Checks if browser processes are running
Connects to many ports of the same IP (likely port scanning)
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify clipboard data
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9793003669bcb9826d31c8dbb1c2d51097f661540d01ff8fffeb30ae1332a3c0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-20 20:10:28 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6jqantjxs4ye3jrzdn3dqwvccl7mykubua77d775myk4ezsupaa._file
Verdict:
malicious
Similar samples:
1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825
Gh0stRAT
20f4b006007defc2e71a4a3bc6ffe0cdbb5ed6f34c4e15e95d85a7cb60a76286
Gh0stRAT
5409122ed4854435632036bd0ff599fe1b3c623ab7dbf53926bd9a70f1b67888
Gh0stRAT
5df46a85b08eb145dd1d6341934ac9a46479b6a8685b21c89d01de18aeb0f72b
Gh0stRAT
a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf
Gh0stRAT
c3b1e2b8a95508b33e4a5fdf7275082a2f2578ccbfd16eca42c30c34837e579d
Gh0stRAT
+ 84 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox rat rootkit trojan
Link:
https://tria.ge/reports/230421-s2g4baad2z/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates connected drives
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
299669b0a0e7659f2921e709d8a9155fd54b6a261ae2919047de5fa4dba9cbbf
MD5 hash:
90bbe200f372cf4d190e5c1d28a314da
SHA1 hash:
867b96dbdab44aaadfe036f06432e7bb782fc203
Link:
https://www.unpac.me/results/5bbf0738-1b29-42b2-bc2d-43a6a646d0f8/
SH256 hash:
9793003669bcb9826d31c8dbb1c2d51097f661540d01ff8fffeb30ae1332a3c0
MD5 hash:
40ac2a5a4ea898a9b4b7009062c63b15
SHA1 hash:
6cb2de3ac7ec7efc7e8483ecf0e015b9c2819421
Link:
https://www.unpac.me/results/5bbf0738-1b29-42b2-bc2d-43a6a646d0f8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9793003669bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/9793003669bcb9826d31c8dbb1c2d51097f661540d01ff8fffeb30ae1332a3c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Create hunting rule
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383985/

Comments