MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 26 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
SHA3-384 hash: f923a42ce68795b27106ef8c794d4f9a377b284ac5c65aadec3d443432b7e4cb5886a10ea001d26bd64a10c935bef3ec
SHA1 hash: a609b1de628998746bd1f33616f2a3324764fb52
MD5 hash: 3dfe6ff32db8cd1e7f6b2fba4c308836
humanhash: glucose-blue-social-cup
File name:3dfe6ff32db8cd1e7f6b2fba4c308836
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:4'844'062 bytes
First seen:2024-04-05 04:00:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eeac73be37480fd144f387e3563a0f14 (13 x Gh0stRAT, 2 x N-W0rm, 1 x XRed)
ssdeep 98304:iws2ANnKXOaeOgmh707KZxDnDCa+WlcelG07E2MLM:4KXbeO7a2v5zyelw2M
TLSH T1F826D043B5954862C3C85671DE67DAB39B207EBE1BF3423EB648FDC43B352447A22225
TrID 34.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
18.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
10.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.3% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 00ccc4d0c4fc7c02 (3 x Gh0stRAT, 2 x Worm.Duptwux)
Reporter zbetcheckin
Tags:32 exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
355
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811.exe
Verdict:
Malicious activity
Analysis date:
2024-04-05 04:03:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9495ee03-986a-42b0-b644-6ddd258efe99

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a file
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Creating a file in the drivers directory
Loading a system driver
DNS request
Moving a file to the %temp% directory
Modifying an executable file
Running batch commands
Creating a process with a hidden window
Connection attempt
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive explorer flystudio keylogger killav lolbin overlay packed packed rat rundll32 shell32
Link:
https://www.filescan.io/uploads/660f7782d463a7b047807c92/reports/1cd806b5-dcf4-415b-889b-6a52bb587693/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/303c15de-1ba4-4b70-a46d-d60ae045740b
Result
Threat name:
Chaos, Gh0stCringe, GhostRat, Mimikatz,
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.bank
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1420652
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many different private IPs (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Chaos
Yara detected Gh0stCringe
Yara detected GhostRat
Yara detected Mimikatz
Yara detected RunningRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1420652 Sample: 1MtOpXycRI.exe Startdate: 05/04/2024 Architecture: WINDOWS Score: 100 61 www.google.com 2->61 63 hackerinvasion.f3322.net 2->63 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 Antivirus detection for dropped file 2->79 81 14 other signatures 2->81 9 1MtOpXycRI.exe 6 2->9         started        12 TXPlatfor.exe 2->12         started        15 csrss.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 53 C:\Users\user\Desktop\HD_1MtOpXycRI.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\Temp\R.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\Local\Temp57.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\Local\Temp\HD_X.dat, PE32 9->59 dropped 19 HD_1MtOpXycRI.exe 1 1 9->19         started        24 N.exe 1 1 9->24         started        26 R.exe 1 9->26         started        95 Antivirus detection for dropped file 12->95 97 Multi AV Scanner detection for dropped file 12->97 99 Machine Learning detection for dropped file 12->99 101 Drops executables to the windows directory (C:\Windows) and starts them 12->101 28 TXPlatfor.exe 13 1 12->28         started        30 WerFault.exe 2 17->30         started        32 WerFault.exe 2 17->32         started        signatures6 process7 dnsIp8 65 192.168.2.100 unknown unknown 19->65 67 192.168.2.101 unknown unknown 19->67 69 98 other IPs or domains 19->69 45 C:\ProgramData\Microsoft\csrss.exe, PE32 19->45 dropped 83 Antivirus detection for dropped file 19->83 85 Multi AV Scanner detection for dropped file 19->85 87 Connects to many different private IPs (likely to spread or exploit) 19->87 89 Drops PE files with benign system names 19->89 47 C:\Windows\SysWOW64\TXPlatfor.exe, PE32 24->47 dropped 91 Machine Learning detection for dropped file 24->91 34 cmd.exe 1 24->34         started        49 C:\Windows\SysWOW64\6468546.txt, PE32 26->49 dropped 37 WerFault.exe 19 16 26->37         started        39 WerFault.exe 2 16 26->39         started        51 C:\Windows\System32\drivers\QAssist.sys, PE32+ 28->51 dropped 93 Sample is not signed and drops a device driver 28->93 file9 signatures10 process11 signatures12 71 Uses ping.exe to sleep 34->71 73 Uses ping.exe to check the status of other devices and networks 34->73 41 conhost.exe 34->41         started        43 PING.EXE 1 34->43         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2023-08-26 23:26:11 UTC
File Type:
PE (Exe)
Extracted files:
129
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5q2g5l7on2ajqs2fa353up7nqkn7y4ucj6ivfgfyehqbx5djaiq._file
Verdict:
malicious
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox persistence rat rootkit trojan upx
Link:
https://tria.ge/reports/240405-ek72hscc27/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Drivers directory
Sets DLL path for service in the registry
Sets service image path in registry
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60
MD5 hash:
8b1eda0bf1e445f16b910bc00b57d9b9
SHA1 hash:
5bbc680644c09a94d865c2440242a2eed1243d7f
Detections:
check_installed_software
Create hunting rule
Mimikatz_Strings
Create hunting rule
Hidden
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/2ad4b194-56b0-409a-80a1-3f9ce1a3dddf/
Parent samples :
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
SH256 hash:
8c030e2f7363391e1c80f50a9219cfb6a0bc8601a5277dbd46c6eeec7f7cff94
MD5 hash:
02b1005f3a055cd9947bc00f4de88809
SHA1 hash:
aa66072f4f37c86745e235d912f41cd52d05ed00
Detections:
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/2ad4b194-56b0-409a-80a1-3f9ce1a3dddf/
SH256 hash:
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
MD5 hash:
8dc3adf1c490211971c1e2325f1424d2
SHA1 hash:
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
Link:
https://www.unpac.me/results/2ad4b194-56b0-409a-80a1-3f9ce1a3dddf/
SH256 hash:
7bb91aa1f88d827f422ffbadd0e8cd8ba1698082636a53d9791b4ba0f04c7bce
MD5 hash:
49e6af68ac6787c494f6d803500e27e3
SHA1 hash:
df6baaaed9c8b0228d738a4fe3e4a865a8d52a13
Detections:
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Link:
https://www.unpac.me/results/2ad4b194-56b0-409a-80a1-3f9ce1a3dddf/
SH256 hash:
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
MD5 hash:
4a36a48e58829c22381572b2040b6fe0
SHA1 hash:
f09d30e44ff7e3f20a5de307720f3ad148c6143b
Link:
https://www.unpac.me/results/2ad4b194-56b0-409a-80a1-3f9ce1a3dddf/
SH256 hash:
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
MD5 hash:
3dfe6ff32db8cd1e7f6b2fba4c308836
SHA1 hash:
a609b1de628998746bd1f33616f2a3324764fb52
Link:
https://www.unpac.me/results/2ad4b194-56b0-409a-80a1-3f9ce1a3dddf/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f61a3757f73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:Linux_Trojan_Kaiji_91091be3
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2801695/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaWINMM.dll::midiOutPrepareHeader
WINMM.dll::midiOutReset
WINMM.dll::midiOutUnprepareHeader
WINMM.dll::midiStreamClose
WINMM.dll::midiStreamOpen
WINMM.dll::midiStreamOut
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA

Comments


Avatar
zbet commented on 2024-04-05 04:00:06 UTC

url : hxxp://49.234.192.109:1234/win.exe