MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6
SHA3-384 hash: 1734a4dbfc9c589c2085d4c8f10757df2693ac71c7a34de2faeca8586798f33e132a71ebf5f4d2a72309e5f3486da25a
SHA1 hash: a8094fc0290c454ca8d7e0bb9c02570e688fe909
MD5 hash: 6b3d5e9d0cb56179b7f31de77648be67
humanhash: georgia-mexico-steak-low
File name:LisectAVT_2403002A_34.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:462'856 bytes
First seen:2024-07-25 00:22:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 77eef4e097d1e4bdf8b3e7692e2593aa (5 x Gh0stRAT)
ssdeep 6144:YDBJuB+BuOQMfIQmslc5wUtQIb5ER4YXS96lQvaRcfMwWv:CrK+BiM635XtDEvXS96Ge9wWv
Threatray 28 similar samples on MalwareBazaar
TLSH T18DA46B136E07ED4EE386133129D97CE0111DBF5ABA65017FE2B83E9B1C34BB109AB495
TrID 31.0% (.EXE) InstallShield setup (43053/19/16)
22.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.SCR) Windows screen saver (13097/50/3)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 3c7462236727673b (2 x Gh0stRAT)
Reporter Anonymous
Tags:exe Gh0stRAT


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
CN CN
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a19ac4ae21d7902eaff69d
Tags:
Encryption Static Gh0stcringe
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66a19abfdfa8b2fced4e373d/reports/d0c4205a-1aab-47e1-8d5f-984d9e5d1837/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb57acee-79b6-450c-aae7-4fa0050184fc
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1482322
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6/
Threat name:
Win32.Trojan.FlyAgent
Create hunting rule
Status:
Malicious
First seen:
2024-07-25 00:23:09 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vnqfeehnee5s3tne73yw5xf44cdqberpbzidfawubppqx2x7w3la._file
Verdict:
malicious
Similar samples:
21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d
Gh0stRAT
45827fa3c271acc4de2ec05ee95079341ba6f414e5c9e6a9e90526feb412e402
Gh0stRAT
45ba685ea7d66e5c0ac91b4c19a11dad0dff029f56afd15e87f8553f30f72d27
Gh0stRAT
ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6
Gh0stRAT
bfc673b442809a22a48e4c70d5027c925c8eaa56caee77ff6f896d480d78dcc2
Gh0stRAT
d727f725ef0c3837013468f9675b6a0531658d8e60f01e5762e130cbabd665d0
Gh0stRAT
e7266367dff0d4d6928ca09dcadff99afcb208bd9fa48a75964c427a332ac63d
Gh0stRAT
+ 18 additional samples on MalwareBazaar
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat discovery rat
Link:
https://tria.ge/reports/240725-an3trazanh/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Gh0st RAT payload
Gh0strat
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eea8245a-80c8-4f06-96cf-8386bc3ccbba
Unpacked files
SH256 hash:
31913b545d5634caaa1a8c8f6631fc795bdb063226360edd959d0e609bbfb270
MD5 hash:
2a21c07fbd78ce1f06c1a5f4f9696aa2
SHA1 hash:
ad4b952f5fa8e6b5a792d9d864da63b5bd5bbfc0
Detections:
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
check_installed_software
Create hunting rule
Mimikatz_Strings
Create hunting rule
GhostDragon_Gh0stRAT
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
MALWARE_Win_Zegost
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/f4d95e30-56c1-4046-afa7-c4651672e07d/
Parent samples :
21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d
ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6
SH256 hash:
20c22687aff8292df1458bb280c5ff13f60ec736ea2af75dd9c0377312277d1e
MD5 hash:
a1358aeca7172d40d058273067eeabef
SHA1 hash:
6629feed284702ba2ee8f5a334eb6e0deedf7ec2
Detections:
Mimikatz_Strings
Create hunting rule
GhostDragon_Gh0stRAT
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/f4d95e30-56c1-4046-afa7-c4651672e07d/
SH256 hash:
ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6
MD5 hash:
6b3d5e9d0cb56179b7f31de77648be67
SHA1 hash:
a8094fc0290c454ca8d7e0bb9c02570e688fe909
Link:
https://www.unpac.me/results/f4d95e30-56c1-4046-afa7-c4651672e07d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gh0stRAT

Executable exe ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoFreeUnusedLibraries
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments