MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b235909f95fd8919b86b757702e7343489fd8ad01562494a91a712bc47650010. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	b235909f95fd8919b86b757702e7343489fd8ad01562494a91a712bc47650010
SHA3-384 hash:	5a0976bec64d3f9aca8bd6ab3810cb1ffffbcae4e0bde238427b280f521d1e11fdd22623a87ab8d82e7b1f44545fae63
SHA1 hash:	4e9cd551524827a9655adc4d0da07e9283a93379
MD5 hash:	1a46c19ac9a8d7d993526fe4e62a5dd0
humanhash:	kentucky-don-harry-oxygen
File name:	1a46c19ac9a8d7d993526fe4e62a5dd0.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	212'612 bytes
First seen:	2022-02-18 00:51:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	83e8c3f5d89828a1109ff443bc35e89e (1 x Gh0stRAT)
ssdeep	6144:w63MfYgvEpa23nVW5GJZ2tNYLj8Mfs5UoiwwV0S:w+MfuR3VzYKj86sqo42S
Threatray	844 similar samples on MalwareBazaar
TLSH	T1BD2413017BDBEB89D8C0EE30299B3AA691E5B8D6048F514F8AC915587D7F24F4ACB50C
Reporter	abuse_ch
Tags:	exe Gh0stRAT

abuse_ch

Gh0stRAT C2:
183.236.2.18:1997

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
183.236.2.18:1997	https://threatfox.abuse.ch/ioc/388537/

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/242411/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Trojan.Manbat-6915473-0

Win.Trojan.Manbat-6915734-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a service

Launching a process

DNS request

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

Creating a service

Enabling autorun for a service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm overlay packed palevo swisyn update.exe wacatac

Link:

https://www.filescan.io/uploads/620eedb5a2660f3bb9f621eb/reports/ee1c121a-b9b2-4e7f-a2f1-6092678ba42d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/972c6f92-e6f4-4a45-8988-3e56bb76da05

Result

Threat name:

Unknown

Detection:

malicious

Classification:

bank.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/941969

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes security center settings (notifications, updates, antivirus, firewall)

Checks if browser processes are running

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Creates a Windows Service pointing to an executable in C:\Windows

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b235909f95fd8919b86b757702e7343489fd8ad01562494a91a712bc47650010/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2011-07-12 11:39:00 UTC

File Type:

PE (Exe)

AV detection:

23 of 43 (53.49%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wi2zbh4v7wertodlov3qfzzugse73cwqcvressuru4jlyr3faaia._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

bootkit persistence

Link:

https://tria.ge/reports/220218-a73yvsgeh3/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Drops file in Windows directory

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Sets DLL path for service in the registry

Unpacked files

SH256 hash:

49ce96dc6296aca7291f4a460d0a59f4de6b09d27b3046b63c1360de9bad6ceb

MD5 hash:

2a403033be73176d6e8066935c125d02

SHA1 hash:

33a67e9117976914877ed6a51cfe031eecbf4838

Link:

https://www.unpac.me/results/cc791628-3ecc-46e2-a723-e67bbeaa0fb5/

SH256 hash:

2d5a118f2dc29516f87bd5034d07ba23ade50bff87dd82838df4a01e8e29c6e6

MD5 hash:

94c20c4b3cd85ef93b0bb043be6506cb

SHA1 hash:

d6302adc75921641d105faadc4e447b42cc91e9d

Link:

https://www.unpac.me/results/cc791628-3ecc-46e2-a723-e67bbeaa0fb5/

SH256 hash:

b235909f95fd8919b86b757702e7343489fd8ad01562494a91a712bc47650010

MD5 hash:

1a46c19ac9a8d7d993526fe4e62a5dd0

SHA1 hash:

4e9cd551524827a9655adc4d0da07e9283a93379

Link:

https://www.unpac.me/results/cc791628-3ecc-46e2-a723-e67bbeaa0fb5/

Malware family:

Gh0st RAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b235909f95fd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b235909f95fd8919b86b757702e7343489fd8ad01562494a91a712bc47650010

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/242411/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample