MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a848fa16033d9227dc16aae2e3a96b13c8f53f9c898dd316ef541ac86ec22b1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a848fa16033d9227dc16aae2e3a96b13c8f53f9c898dd316ef541ac86ec22b1d
SHA3-384 hash: fd231262bcffe472d1fc7e2cd2deb84b2e0784e62e9cb7069e4f43fc9cef92be0b12742754f7f6d49b59221f51cab686
SHA1 hash: e9e152ede515c28efd5905fc3f3500317c7b7705
MD5 hash: 63ad0e285b5fa68aa5a32dc3f04e5b7b
humanhash: may-pizza-hotel-whiskey
File name:63ad0e285b5fa68aa5a32dc3f04e5b7b
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:544'768 bytes
First seen:2021-02-09 15:01:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1fd253bae4332505c298af514c6340d2 (2 x Gh0stRAT)
ssdeep 6144:R6AXtAOfFELJlZn9ocihaFcRfp1pjO4bi+G+bHq3aZROrNu9lI7Wm:R6ZOfFkxJFc1XxVi0bKXu7nm
Threatray 779 similar samples on MalwareBazaar
TLSH D4C49D52F7C0452AC916113E4F825B295EF2EC764BE14CC3BB1C7A9C9538BE89DBE205
Reporter JAMESWT_WT
Tags:Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
63ad0e285b5fa68aa5a32dc3f04e5b7b
Verdict:
Malicious activity
Analysis date:
2020-10-08 14:28:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f6fd0fdf-5fb3-4fbc-b78c-95a9f078e6c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116205/
Detection(s):
SecuriteInfo.com.BackDoor.Generic_r.PVF.29567.20981.UNOFFICIAL
Create hunting rule

Win.Trojan.Zegost-9828868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/603194
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a848fa16033d9227dc16aae2e3a96b13c8f53f9c898dd316ef541ac86ec22b1d/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2017-11-22 08:22:44 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
Gh0stRAT
15198db6364e7676c89fd343b0ae8d44b216c5da6ea8d627e525e08d5889ddf2
Gh0stRAT
27773e11c6819e9fbbcf0d547fbf2cca3da04918d04a3dd9cab82f36a28c8252
Gh0stRAT
2913bb673124ec044db347151ea548c688f5e7d4f8d463878a660fa76b883a95
Gh0stRAT
3774be9b40ea80453e8d666d1fb4f7e43758b307d1631735ae0b9a9f1eb6f8f5
Gh0stRAT
5439d13bbab7a6469eea772dbec45e2b08553462f2664e1e48cfee852b6525b2
Gh0stRAT
6d2c4017b8f44df58ac0c40581c211fcf975f6515e77bd67dc50f03243021a8a
Gh0stRAT
8f08385add724e16ab49fddc0a9dc3064a54ad5241a76a63115ea5042524bd2d
Gh0stRAT
c5cd43a8d9f8bc594501ff81ba10f519ce321a0699f2de951dc7e8e19936775e
Gh0stRAT
d1597e82baaf9f9d66a8f577c8a656d17192c7a5dbc80ced5c89046b7592dce1
Gh0stRAT
+ 769 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210209-rpn33xtlpe/
Behaviour
Modifies system certificate store
Unpacked files
SH256 hash:
aeeb21360a426bea27c4372c8cff7691726f12a4a8767581272302e254114a79
MD5 hash:
c3123d35477c1a89dd6731a66697e303
SHA1 hash:
e7c6ca9beb2a74fb178f3857e98dbb204f8e0508
Link:
https://www.unpac.me/results/a1f1119d-b1ec-40af-ae5b-8ee48e35d698/
SH256 hash:
a848fa16033d9227dc16aae2e3a96b13c8f53f9c898dd316ef541ac86ec22b1d
MD5 hash:
63ad0e285b5fa68aa5a32dc3f04e5b7b
SHA1 hash:
e9e152ede515c28efd5905fc3f3500317c7b7705
Link:
https://www.unpac.me/results/a1f1119d-b1ec-40af-ae5b-8ee48e35d698/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a848fa16033d9227dc16aae2e3a96b13c8f53f9c898dd316ef541ac86ec22b1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GhostDragon_Gh0stRAT
Create hunting rule
Author:Florian Roth
Description:Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:https://blog.cylance.com/the-ghost-dragon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/116205/

Comments