MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae0c2b4ed2f3beac01a8997f8ac0cfa78d01e9b55e5cc70b490441e756fee039. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae0c2b4ed2f3beac01a8997f8ac0cfa78d01e9b55e5cc70b490441e756fee039
SHA3-384 hash: 671cba12e29358e4047532de27ee505099b01e067baebe0abaec72d85302cbe82af289ccd0140d97a0e6a47e89ad6a36
SHA1 hash: 8ac27e167ba9459f3434bf055ce90a0c3681e13b
MD5 hash: c2d157d99942dc12dfe9dcaad5304866
humanhash: white-july-california-nevada
File name:SpaceCityV2.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:793'600 bytes
First seen:2022-12-16 14:34:09 UTC
Last seen:2022-12-16 16:37:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d13d399db15c51a1337d692663151209 (3 x Gh0stRAT, 1 x Zegost)
ssdeep 12288:jaia+of8EJE4zszA+MkJPSS7lWo/TzzDqsZDD9OItfD5HgHq/lLg2z:jaizYtsM6THDqWDgwfZ8YLg2z
Threatray 206 similar samples on MalwareBazaar
TLSH T1C5F45A27E3B18BBDC156C13E81A28E09A73FB87D0733C1D745928619EB59AC01F3566E
TrID 59.1% (.SCR) Windows screen saver (13097/50/3)
13.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
9.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 7b4fcc44361e14a4 (3 x Gh0stRAT, 1 x Zegost)
Reporter iamdeadlyz
Tags:45-153-241-207 exe FakeGaliXCity Gh0stRAT SpaceCity


Avatar
Iamdeadlyz
From spacecity.games (impersonation of galixcity.io)
Taken from: 888911f248e764f4a7ece25cab594a925bf13eb797fd1578b824d592a7719814
Gh0stRAT C&C: 45.153.241.207:1016

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SpaceCityV2.exe
Verdict:
No threats detected
Analysis date:
2022-12-16 14:36:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69994436-a225-4675-b719-2e4b0030fdc7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347024/
Detection(s):
SecuriteInfo.com.FileRepMalware.22207.22736.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/52780/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
LanguageCheck
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
cmd.exe packed
Link:
https://www.filescan.io/uploads/639c82189221dc27da9dd9f2/reports/d53afad5-69b7-4054-bfba-d123600e4f68/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0e3d4036-ffd8-40cd-944d-7cf374b9b12a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1135772
Signature
Malicious sample detected (through community Yara rule)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 768504 Sample: SpaceCityV2.exe Startdate: 16/12/2022 Architecture: WINDOWS Score: 48 13 Malicious sample detected (through community Yara rule) 2->13 7 SpaceCityV2.exe 2 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 conhost.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae0c2b4ed2f3beac01a8997f8ac0cfa78d01e9b55e5cc70b490441e756fee039/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vygcwtws6o7kyanitf7yvqgpu6gqd2nvlzomoc2jara6ovx64a4q._file
Verdict:
unknown
Similar samples:
0331c7bca665f36513377fc301cbb32822ff35f92511579d699613f0bb624802
Gh0stRAT
12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d
Gh0stRAT
23fcbffb6a6eac85e59c0c52280ea7fa6a5859fd8f362aa91a1a3e11f6352a88
Gh0stRAT
273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735
Gh0stRAT
7ceb6d9e04042cd53b9c374e69cbf22e05edff6571a01610b844963d881e1057
Gh0stRAT
94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98
Gh0stRAT
a0adb7d7f0a24b3882b1a9c4ce48c4ab23de093845dc6e949d6d036a64a33762
Gh0stRAT
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
Gh0stRAT
a803b45c52fc4db19e364eddfad59a4b131e7552053217d547916bcbfdf8589b
Gh0stRAT
e248843812031027dd510d9dadaf973dcf15a1f081fceb39069170f8b2168882
Gh0stRAT
+ 196 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221216-rxjkxahf8w/
Behaviour
Suspicious use of WriteProcessMemory
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/120ff31d-da2b-493c-885c-ef3f8f923914
Unpacked files
SH256 hash:
ae0c2b4ed2f3beac01a8997f8ac0cfa78d01e9b55e5cc70b490441e756fee039
MD5 hash:
c2d157d99942dc12dfe9dcaad5304866
SHA1 hash:
8ac27e167ba9459f3434bf055ce90a0c3681e13b
Link:
https://www.unpac.me/results/c9ad099c-92b4-4ba0-8546-7a86b4e048b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae0c2b4ed2f3beac01a8997f8ac0cfa78d01e9b55e5cc70b490441e756fee039

File information

The table below shows additional information about this malware sample such as delivery method and external references.

888911f248e764f4a7ece25cab594a925bf13eb797fd1578b824d592a7719814

Gh0stRAT

Executable exe ae0c2b4ed2f3beac01a8997f8ac0cfa78d01e9b55e5cc70b490441e756fee039

(this sample)

Gh0stRAT

Executable exe 78be65f626e4a9e81c655b36c96dacc8898287d4954cbffd98788e602369f8ca

Gh0stRAT

Batch (bat) bat 649c9081b96d38aaea3052741d8549bb693a6a5327676376dd11d98ef51f697a

  
Dropped by
SHA256 888911f248e764f4a7ece25cab594a925bf13eb797fd1578b824d592a7719814
  
Dropping
SHA256 649c9081b96d38aaea3052741d8549bb693a6a5327676376dd11d98ef51f697a
  
Dropping
SHA256 78be65f626e4a9e81c655b36c96dacc8898287d4954cbffd98788e602369f8ca
  
Dropping
SHA256 75a050c99cb24f2bfb3f40502fb960644e7c2f4ed143fdb5479a95a2ad487482
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2466676/
Cape
Cape
https://www.capesandbox.com/analysis/347024/
  
Dropping
MD5 038c21e92311ecb6e67e143128c3a350

Comments