MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cb2519a93ca905c963f7e98aab5a64e67e9c761001fa9a9c2e5fe0b95e7eed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Zegost

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	9cb2519a93ca905c963f7e98aab5a64e67e9c761001fa9a9c2e5fe0b95e7eed2
SHA3-384 hash:	6bd0257bcecd1ba1afc2c21a45e3a3a48b5dea17c0c565929657dbf21f44fe8037b7384a9bfb4ff79256cfcf3753d4d2
SHA1 hash:	ba67822cdddde74685e6a8d8026ef40486ed3b84
MD5 hash:	bd3f6cab6425924732ab68965574084b
humanhash:	kentucky-red-earth-nineteen
File name:	ExeFile (297).exe
Download:	download sample
Signature	Zegost Create hunting rule
File size:	55'296 bytes
First seen:	2024-08-20 14:12:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8999f02b716fe8349a4fb9d0afb520ab (1 x Zegost)
ssdeep	1536:ypv9bPvTMu9qdzJBYujh3EEGsZj8Mk+nouy8Q:0vJ3r9kTx3u0outQ
Threatray	22 similar samples on MalwareBazaar
TLSH	T1B643F161DA98C28FC9AA95F054934B2A083AA304C356DB7A5F30306F6DE9E507F5C773
TrID	39.9% (.EXE) UPX compressed Win32 Executable (27066/9/6) 24.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	byMattii1234
Tags:	Zegost

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ExeFile (297).exe

Verdict:

Malicious activity

Analysis date:

2024-08-20 15:03:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/88208d91-218a-4b65-9e43-fcf1a84cfcc9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.DownLoader14.21761.6815.29292.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c4a482b2a4681a729661ab

Tags:

Static Stealth Trojan Farfli Pcclient

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

farfli hook installer microsoft_visual_cc packed packed packed razy upx

Link:

https://www.filescan.io/uploads/66c4a477ff28ddc140a0aac7/reports/18f1947c-9eb6-46b8-97b9-133ddfe2148f/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/9cb2519a93ca905c963f7e98aab5a64e67e9c761001fa9a9c2e5fe0b95e7eed2

Malware family:

Barys

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/93675f51-7fa9-458b-9adc-3b2b53450749

Result

Threat name:

GhostRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1495985

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Deletes itself after installation

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GhostRat

Behaviour

Behavior Graph:

Download SVG

Score:

88%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9cb2519a93ca905c963f7e98aab5a64e67e9c761001fa9a9c2e5fe0b95e7eed2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9cb2519a93ca905c963f7e98aab5a64e67e9c761001fa9a9c2e5fe0b95e7eed2/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2019-01-02 23:16:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

35 of 38 (92.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tszfdgutzkifzfr7p2mkvnngjzt6tr3baap2tkoc4x7axfph53ja._file

Verdict:

malicious

Zegost

8d8de2dbae6460fda8a7dae85b6dde85cb511cf57462449b2120b4652340fbec

Zegost

9cb2519a93ca905c963f7e98aab5a64e67e9c761001fa9a9c2e5fe0b95e7eed2

Zegost

ad054b7da89bc9b79659fa19a87f51ed568062b3c7a0918e2db01b3e6f1a62c8

Zegost

c44087b5df86f31b029c67fac6021bd35930936a02f2225a5c77e1122f94cbd6

Zegost

+ 12 additional samples on MalwareBazaar

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:gh0strat discovery rat upx

Link:

https://tria.ge/reports/240820-rh5vlazemj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Deletes itself

Loads dropped DLL

UPX packed file

Gh0st RAT payload

Gh0strat

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/04df871b-420e-4789-99f1-7ab5f5ef0643

Unpacked files

SH256 hash:

437db04d31060f858ec6931e7a0e50f7b932e6e24763e1ffcaa3f34b4cba188e

MD5 hash:

3ced50db27663f74cc38df60ef0a43cc

SHA1 hash:

183723b2fc5d0160368031f412fc13b96e553e2d

Link:

https://www.unpac.me/results/f6c55544-d4cd-46a2-be76-a40778cd3d6b/

SH256 hash:

3f7c36f42f175863bbb37c895dbabeb3dae8e9bf4bd49d4e13d46b4074ca3be4

MD5 hash:

98874367db26bf9e8c486a910907b80e

SHA1 hash:

b6bb1b7bdc01ea9efa927d70f307709fe546bd6d

Link:

https://www.unpac.me/results/f6c55544-d4cd-46a2-be76-a40778cd3d6b/

SH256 hash:

9cb2519a93ca905c963f7e98aab5a64e67e9c761001fa9a9c2e5fe0b95e7eed2

MD5 hash:

bd3f6cab6425924732ab68965574084b

SHA1 hash:

ba67822cdddde74685e6a8d8026ef40486ed3b84

Link:

https://www.unpac.me/results/f6c55544-d4cd-46a2-be76-a40778cd3d6b/

Malware family:

Gh0stRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9cb2519a93ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

PcClient

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9cb2519a93ca905c963f7e98aab5a64e67e9c761001fa9a9c2e5fe0b95e7eed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	UPX20030XMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Zegost

exe 9cb2519a93ca905c963f7e98aab5a64e67e9c761001fa9a9c2e5fe0b95e7eed2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/21352/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/111419/

URLhaus

https://urlhaus.abuse.ch/url/111606/

URLhaus

https://urlhaus.abuse.ch/url/111614/

URLhaus

https://urlhaus.abuse.ch/url/111627/

URLhaus

https://urlhaus.abuse.ch/url/157699/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample