MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5283903f3dd9892458c6a2bf867b807275d96d15f760fd30f962aa6f8cd7b1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5283903f3dd9892458c6a2bf867b807275d96d15f760fd30f962aa6f8cd7b1b
SHA3-384 hash: 78a2537fe3a5ecd6cfc5c768faa2ac07b99210b6c8f808943967e2b3223b4b2199541926031a2c457192e9834564b2e7
SHA1 hash: 338cfb618115096a62f335b1c9e8a61ed62dadb9
MD5 hash: 4df99abfdfd83c2d991b0f44ed5c8582
humanhash: moon-oscar-six-equal
File name:918b45be.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:7'773'480 bytes
First seen:2023-07-05 12:09:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29911cca6f80c985ff6d48f1ac7bf157 (1 x Gh0stRAT)
ssdeep 49152:DFMtJ0xnMHMAyhUAJhsxRtQs9NAGHgmgtRqOS/iKdXXMrEomU8i8Hf4G/yF5GC2Y:DdhfK+skSf48HryF2leT/n
TLSH T1E1763C10E601C05AFDA740B2DEFED55D6098B9600F6C00E371856EFEAE6DAD23E32597
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter obfusor
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
918b45be.exe
Verdict:
Malicious activity
Analysis date:
2023-07-05 12:11:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f79d2d9-a1fb-4778-8733-38dd708041f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/407571/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.32400.9827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a window
Creating a file in the Program Files subdirectories
Creating a file in the %AppData% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95621/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto greyware keylogger overlay packed stealer
Link:
https://www.filescan.io/uploads/64a55d9bdd70cf216f4ad580/reports/bca2f47a-c8ed-4fb9-a2a6-ec843efd6fe2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/a5283903f3dd9892458c6a2bf867b807275d96d15f760fd30f962aa6f8cd7b1b
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a12a677c-c462-4501-a4dc-85bbc7c8938f
Result
Threat name:
Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1267202
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found stalling execution ending in API Sleep call
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1267202 Sample: 918b45be.exe Startdate: 05/07/2023 Architecture: WINDOWS Score: 80 41 Snort IDS alert for network traffic 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 9 918b45be.exe 2 20 2->9         started        14 Dboeingcoms.exe 2->14         started        process3 dnsIp4 35 47.243.246.129, 1023, 49693, 49698 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 9->35 37 xin.hainan66.top 8.218.162.140, 2088, 49694, 49699 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 9->37 31 C:\Program Files\MSXML 8.1\Dboeingcoms.exe, PE32 9->31 dropped 33 C:\...\Dboeingcoms.exe:Zone.Identifier, ASCII 9->33 dropped 49 Found stalling execution ending in API Sleep call 9->49 51 Contains functionality to detect sleep reduction / modifications 9->51 16 cmd.exe 1 9->16         started        file5 signatures6 process7 process8 18 find.exe 1 16->18         started        20 tasklist.exe 1 16->20         started        22 tasklist.exe 1 16->22         started        24 29 other processes 16->24 process9 26 svchost.exe 18->26 injected process10 28 Dboeingcoms.exe 26->28         started        dnsIp11 39 xin.hainan66.top 28->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5283903f3dd9892458c6a2bf867b807275d96d15f760fd30f962aa6f8cd7b1b/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2023-07-05 12:10:07 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uuudsa7t3wmjermmniv7qz5ya4tv3fwrl53a7uypsyvkn6gnpmnq._file
Verdict:
unknown
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat persistence rat
Link:
https://tria.ge/reports/230705-pb1wysdf6z/
Behaviour
Checks processor information in registry
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Enumerates connected drives
Gh0st RAT payload
Gh0strat
Unpacked files
SH256 hash:
a5283903f3dd9892458c6a2bf867b807275d96d15f760fd30f962aa6f8cd7b1b
MD5 hash:
4df99abfdfd83c2d991b0f44ed5c8582
SHA1 hash:
338cfb618115096a62f335b1c9e8a61ed62dadb9
Link:
https://www.unpac.me/results/8a7c52c5-59c5-40f2-89cd-a1b36afbc3c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/a5283903f3dd9892458c6a2bf867b807275d96d15f760fd30f962aa6f8cd7b1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/407571/

Comments