MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a18e86dbfe2bee1ca87206bc3becd03bff4cd82be7747cb73ea3ed04191aef49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a18e86dbfe2bee1ca87206bc3becd03bff4cd82be7747cb73ea3ed04191aef49
SHA3-384 hash: 186b1ec3fdc60bbaf59d5be5b176c84327fdc70e04ad800e472a3ecb1c406430f431c5c9e82f6c128e4d4020478c850f
SHA1 hash: 17e21ad9c97df38f0f58f5b21085e3e064c18c1c
MD5 hash: 90f1e6924855c8ed7ecd881d0fda3494
humanhash: golf-helium-blue-speaker
File name:90f1e6924855c8ed7ecd881d0fda3494
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:406'016 bytes
First seen:2022-07-23 05:38:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19d4e66d725c89ba6712b82bebc8196d (5 x Gh0stRAT, 2 x PurpleFox, 1 x YoungLotus)
ssdeep 12288:sb5DbPowllDRf9Ib2JONfUcri1RcQP2aa:s9Dbg6lV9C2JOBUIc12aa
Threatray 129 similar samples on MalwareBazaar
TLSH T1108412917F4591A3C3093A74CDE08F554E145FE11E28298FBD787BA8D9B02DE2C62E4B
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4505/5/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0f4e8cccce8d4f0 (8 x Gh0stRAT, 1 x Nitol, 1 x MimiKatz)
Reporter openctibr
Tags:exe Gh0stRAT OpenCTI.BR Sandboxed

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PCRat / Gh0st
Create hunting rule
Link:
https://www.capesandbox.com/analysis/293596/
Detection(s):
Win.Trojan.Farfli-7639977-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed shiz
Link:
https://www.filescan.io/uploads/62db89bfef2b0e63a8343c41/reports/4031087b-bbab-46f7-b835-06fd421577af/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bb49700-9216-4c30-b6c3-3ef8aa4fd0ba
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1039636
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a18e86dbfe2bee1ca87206bc3becd03bff4cd82be7747cb73ea3ed04191aef49/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-07-23 05:39:08 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ughinw76fpxbzkdsa26dx3gqhp7uzwbl452hznz6upwqigi255eq._file
Verdict:
malicious
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
Gh0stRAT
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Gh0stRAT
389ddb82e254c476a6e3e2534182314d4702ce525371c2bcd5da6ef19d4851fb
Gh0stRAT
52d7f88f2af1afe7ca436c7553bc9f46d0b61d43a49458b1de79e66640a8b957
Gh0stRAT
795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6
Gh0stRAT
86c8f78d6c977f1d9a280a960a10c9c485419afbb8c70f7a90a82f0eadee9445
Gh0stRAT
+ 119 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox rat rootkit trojan upx
Link:
https://tria.ge/reports/220723-gcagdscdc8/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Enumerates connected drives
UPX packed file
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
af08dc9b09349ee909cf75ed123aba359ec1026b0943c7ed0ce01fb028c3af48
MD5 hash:
6402bf341201184f92a81783c672dcc6
SHA1 hash:
fbd73585e383a8b8deab07b0899eccae75d48217
Link:
https://www.unpac.me/results/ffaa034f-6fca-44e1-8bd5-5ac1ac2c27b6/
Parent samples :
c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
SH256 hash:
a18e86dbfe2bee1ca87206bc3becd03bff4cd82be7747cb73ea3ed04191aef49
MD5 hash:
90f1e6924855c8ed7ecd881d0fda3494
SHA1 hash:
17e21ad9c97df38f0f58f5b21085e3e064c18c1c
Link:
https://www.unpac.me/results/ffaa034f-6fca-44e1-8bd5-5ac1ac2c27b6/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a18e86dbfe2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a18e86dbfe2bee1ca87206bc3becd03bff4cd82be7747cb73ea3ed04191aef49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293596/

Comments