MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HolyGhost


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd
SHA3-384 hash: ae402b758920cb39e5c024c0752ae284e3b39b2c17ac54c47620454f1e6c6f4da540ef882d574ae529d72d7803806540
SHA1 hash: d7d472bfc62bd6f52e3b4b3c7e88b92b664dd142
MD5 hash: 54ca404d16db18d233c606b48c73d66f
humanhash: mississippi-bacon-friend-arizona
File name:99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd
Download: download sample
Signature HolyGhost
Create hunting rule
File size:1'435'136 bytes
First seen:2023-02-09 22:07:09 UTC
Last seen:2023-02-09 23:30:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e35d8b44296d67eb10cc5ca04f16565a (1 x HolyGhost)
ssdeep 24576:RtpRWh9e6yT5p0qMBNEYhw+fEh9vnwR76aNGu:Rch9JqMBNZNMh962c
Threatray 5 similar samples on MalwareBazaar
TLSH T1D465BE22FB40D132F6A10072DA2D9F6B995CAE31673444D3B3D44E1E6AB48E35E36B47
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cs0sf
Tags:DPRK exe H0lyGhost HolyGhost NorthKorea Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
764
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd
Verdict:
No threats detected
Analysis date:
2023-02-09 22:10:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/096ca9f6-2c5e-42a6-8333-39b6ef8d965a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/363040/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61027416.18568.19189.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/67357/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
filecoder greyware hacktool rat
Link:
https://www.filescan.io/uploads/63e56ec4d68ac683b34b6552/reports/244709ae-3d73-4a1c-9bf6-ca3838d84ad3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd
Malware family:
HolyGhost Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fcb4f284-5035-4d18-9ad3-605544c63723
Result
Threat name:
HolyGhost SiennaBlue
Create hunting rule
Detection:
malicious
Classification:
rans
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1170580
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected HolyGhost SiennaBlue Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd/
Threat name:
Win32.Trojan.SiennaPurple
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 23:58:39 UTC
File Type:
PE (Exe)
AV detection:
28 of 39 (71.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=th6fi6dkolzs7vcmooi4efy4umphfsssojogryw55fgqjqug7tgq._file
Verdict:
malicious
Similar samples:
0f97c680d17090656181523c346e3c809f8358d854652e9090959eea6a971237
HolyGhost
414ad5d3597fae8af743fc7777d376be7ae00f2decd270639dc5667c2a00f3a8
HolyGhost
591c4b18225fb41ce754ffc0bb30d7cda046f768469470da4757c04613ec00ed
HolyGhost
60fb214ed47ae81825b6eb63ce9bbfb75a2e9d264665bd50485cb44d372b4ce0
HolyGhost
68d7696254bd1659c15b80e959b2af38be9a81fd526f112b00c1d9b95fc466ba
HolyGhost
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230209-11774sgb6z/
Unpacked files
SH256 hash:
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd
MD5 hash:
54ca404d16db18d233c606b48c73d66f
SHA1 hash:
d7d472bfc62bd6f52e3b4b3c7e88b92b664dd142
Detections:
win_sienna_purple_auto
Create hunting rule
Link:
https://www.unpac.me/results/75c51fdf-52a0-4e8e-a337-989d539fe86e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_sienna_purple_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.sienna_purple.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/363040/

Comments