MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a803b45c52fc4db19e364eddfad59a4b131e7552053217d547916bcbfdf8589b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Zegost

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	a803b45c52fc4db19e364eddfad59a4b131e7552053217d547916bcbfdf8589b
SHA3-384 hash:	4319a12b6d700d9bcf92d652c8beef03d77dd3e554c5b03d8a26289287510ca9526e458aec52593cd76183ea5ae60c98
SHA1 hash:	ea689a474e33438d7ee3f312aa9506837b069958
MD5 hash:	51a049b0392d813227d3093db8d71c0b
humanhash:	bakerloo-sierra-three-pizza
File name:	LauncherV2.exe
Download:	download sample
Signature	Zegost Create hunting rule
File size:	3'016'127 bytes
First seen:	2022-12-16 13:35:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d13d399db15c51a1337d692663151209 (3 x Gh0stRAT, 1 x Zegost)
ssdeep	49152:mizYt16TjDqWDgwfi+gC6DXuAdAzAIkBHLOjcyMiKL5L9GLcvtl12KSJmB7x:Cu+WDgwfi+gDXuAitIOIBF7vtl1ZSJs
Threatray	204 similar samples on MalwareBazaar
TLSH	T1B3D50127E3714BBEC056C13D81A28E09A76FB87D1737C0C745828659EB59AC02F3666F
TrID	59.1% (.SCR) Windows screen saver (13097/50/3) 13.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3) 9.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	7b4fcc44361e14a4 (3 x Gh0stRAT, 1 x Zegost)
Reporter	iamdeadlyz
Tags:	23-106-215-217 exe FakeGaliXCity Gh0stRAT SpaceCity

Iamdeadlyz

From spacecity.games (impersonation of galixcity.io)
Gh0stRAT C&C: 23.106.215.217:1017

Intelligence

File Origin

# of uploads :

1

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

LauncherV2.exe

Verdict:

Malicious activity

Analysis date:

2022-12-16 13:35:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a1a8a090-2eaf-4f92-b777-0c6d9878ebf9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/346999/

Detection(s):

SecuriteInfo.com.OpCloudHopper_Malware_3.172.6304.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Running batch commands

Creating a process with a hidden window

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/52761/overview

Behaviour

MalwareBazaar

LanguageCheck

CheckNumberOfProcessor

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe overlay packed

Link:

https://www.filescan.io/uploads/639c74072443142ef33fabd1/reports/748c7a4b-f192-4d79-8b43-d539fff855d2/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/eabe800a-f596-42ef-9d03-ed3138b19c1d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1135715

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Obfuscated Powershell

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a803b45c52fc4db19e364eddfad59a4b131e7552053217d547916bcbfdf8589b/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vab3ixcs7rg3dhrwj3o7vvm2jmjr45ksauzbpvkhsfv4x7pylcnq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/221216-qvnleaeg62/

Behaviour

Suspicious use of WriteProcessMemory

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4518b83f-39ee-491b-8475-5650b8eb1f2e

Unpacked files

SH256 hash:

a803b45c52fc4db19e364eddfad59a4b131e7552053217d547916bcbfdf8589b

MD5 hash:

51a049b0392d813227d3093db8d71c0b

SHA1 hash:

ea689a474e33438d7ee3f312aa9506837b069958

Link:

https://www.unpac.me/results/164a0dd9-5d63-4e86-bf75-9390b7c70fbb/

Malware family:

APT10

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a803b45c52fc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a803b45c52fc4db19e364eddfad59a4b131e7552053217d547916bcbfdf8589b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe a803b45c52fc4db19e364eddfad59a4b131e7552053217d547916bcbfdf8589b

(this sample)

exe 133224bb212564ed0b687341512fa57fe2a55e54defededb5517ac8d8b239677

bat 6c36f537ce6cad4fc9ba7114286d295dd7756a593703ab01d1eb15b68219ba58

Dropping

SHA256 6c36f537ce6cad4fc9ba7114286d295dd7756a593703ab01d1eb15b68219ba58

Dropping

SHA256 133224bb212564ed0b687341512fa57fe2a55e54defededb5517ac8d8b239677

Dropping

SHA256 1041962780029fab7ba54ab21c49185c8f105f774f3e75286dd6f83f27a6a587

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/346999/

URLhaus

https://urlhaus.abuse.ch/url/2466674/

Dropping

MD5 6e9d5145a5348c57af6ff82df4e523d2

Dropping

MD5 61475d623cd9c596b73b61cf637a467a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample