MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50
SHA3-384 hash: b9169d533b2fadd3911df2778eada25a6ab1bb1ff9f09272bafdf3a53c29cb7154272807b13347f52eba9d85b74eada0
SHA1 hash: 96fe2a80670a20510d674100658e61c68697869a
MD5 hash: bf994bc81c8b866ab5bff311e45a7314
humanhash: mike-florida-snake-asparagus
File name:bf994bc81c8b866ab5bff311e45a7314.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:6'012'858 bytes
First seen:2023-09-09 14:25:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 575ea90c069471216fa3adaba586119e (5 x Gh0stRAT, 2 x QuasarRAT, 1 x DarkComet)
ssdeep 98304:dsxU+duLXdezltEPEn7I1VPoTG8Mx5gfnQknyx5DyR7HYI6zP14dnUVjZWrcnjZD:dsxVd+deCEko1XByx5Dy/U4dQj/jZD
Threatray 16 similar samples on MalwareBazaar
TLSH T152563342DAB0637EC72588B4B0F19A28DEA07C4F54B274760F6F34854E78A5ED6FC168
TrID 34.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
34.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.7% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 96716dd4c4cc69b2 (2 x Gh0stRAT)
Reporter abuse_ch
Tags:exe Gh0stRAT


Avatar
abuse_ch
Gh0stRAT C2:
115.236.153.170:41719

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
pcrat
Create hunting rule
ID:
1
File name:
bf994bc81c8b866ab5bff311e45a7314.exe
Verdict:
Malicious activity
Analysis date:
2023-09-09 14:27:12 UTC
Tags:
rat pcrat gh0st
Link:
https://app.any.run/tasks/e4577204-4571-4893-9825-7f6919053fb3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat / Gh0st
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447635/
Detection(s):
Win.Dropper.Ramnit-7081815-0
Create hunting rule

Win.Dropper.Pwstealer-6950628-0
Create hunting rule

Win.Dropper.Agent-190687
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Launching a process
Searching for the window
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the Windows directory
Moving a recently created file
Modifying an executable file
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Creating a file in the drivers directory
Running batch commands
Creating a process with a hidden window
Loading a system driver
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypter lolbin overlay packed packed shell32 upx
Link:
https://www.filescan.io/uploads/64fc807befe2af27e9c9519e/reports/06911b7b-8ddd-498d-9e9a-849e0816f8a4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6856fb54-778b-4f55-b895-32fbc023da84
Result
Threat name:
Gh0stCringe, Mimikatz, Nitol, RunningRAT
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306682
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Contains functionality to modify clipboard data
Creates a Windows Service pointing to an executable in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Gh0stCringe
Yara detected Mimikatz
Yara detected Nitol
Yara detected RunningRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1306682 Sample: YiARoBSON7.exe Startdate: 09/09/2023 Architecture: WINDOWS Score: 100 106 hackerinvasion.f3322.net 2->106 134 Snort IDS alert for network traffic 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 Antivirus detection for dropped file 2->138 140 11 other signatures 2->140 11 YiARoBSON7.exe 10 2->11         started        15 svchost.exe 2->15         started        17 TXPlatfor.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 100 C:\Users\user\AppData\Local\Temp\...\QQ.exe, PE32 11->100 dropped 102 C:\Users\user\AppData\Local\Temp\...\.exe, PE32 11->102 dropped 158 Multi AV Scanner detection for dropped file 11->158 22 QQ.exe 31 11->22         started        26                    .exe 9 11->26         started        160 Checks if browser processes are running 15->160 162 Contains functionality to modify clipboard data 15->162 164 Contains functionality to detect sleep reduction / modifications 15->164 28 TXPlatfor.exe 13 1 17->28         started        108 7vs5832340.goho.co 115.236.153.170, 41719 CT-HANGZHOU-IDCNo288Fu-chunRoadCN China 19->108 110 hackerinvasion.f3322.net 19->110 112 hackerinvasion.f3322.net 19->112 104 C:\Windows\SysWOW64\Remote Data.exe, PE32 19->104 dropped 166 System process connects to network (likely due to code injection or exploit) 19->166 168 Drops executables to the windows directory (C:\Windows) and starts them 19->168 31 Remote Data.exe 19->31         started        33 TXPlatfor.exe 19->33         started        35 conhost.exe 19->35         started        file6 signatures7 process8 dnsIp9 88 C:\Users\user\Desktop\YiARoBSON7.exe, PE32 22->88 dropped 90 C:\Users\user\AppData\Local\...\HD_QQ.exe, PE32 22->90 dropped 92 C:\Users\user\AppData\Local\...\RCXF429.tmp, PE32 22->92 dropped 98 26 other malicious files 22->98 dropped 150 Multi AV Scanner detection for dropped file 22->150 152 Contains functionality to modify clipboard data 22->152 37 N.exe 1 1 22->37         started        41 R.exe 3 2 22->41         started        43 HD_QQ.exe 22->43         started        94 C:\Users\user\AppData\Local\Temp\...\2.exe, PE32 26->94 dropped 45 QQ.exe 1 26->45         started        47              2.exe 2 26->47         started        114 hackerinvasion.f3322.net 28->114 96 C:\Windows\System32\drivers\QAssist.sys, PE32+ 28->96 dropped 154 Sample is not signed and drops a device driver 28->154 116 192.168.2.1 unknown unknown 31->116 118 hackerinvasion.f3322.net 31->118 file10 156 System process connects to network (likely due to code injection or exploit) 114->156 signatures11 process12 dnsIp13 74 C:\Windows\SysWOW64\TXPlatfor.exe, PE32 37->74 dropped 142 Antivirus detection for dropped file 37->142 144 Multi AV Scanner detection for dropped file 37->144 50 cmd.exe 1 37->50         started        76 C:\Windows\SysWOW64\4333859.txt, PE32 41->76 dropped 146 Machine Learning detection for dropped file 41->146 148 Creates a Windows Service pointing to an executable in C:\Windows 41->148 78 C:\Windows\XXXXXXD9AED7F2\svchsot.exe, PE32 43->78 dropped 80 C:\Users\user\AppData\Local\Temp\HD_X.dat, PE32 45->80 dropped 53 R.exe 1 45->53         started        56 N.exe 45->56         started        58 HD_QQ.exe 45->58         started        122 fwq2.yckjwl.xyz 46.3.115.77, 15555, 49724 ALEXHOST_SRLMD Russian Federation 47->122 124 fwq1.yckjwl.xyz 47->124 82 C:\Windows\gamelogin.dll, PE32 47->82 dropped 84 C:\Windows\Login.dll, PE32 47->84 dropped file14 signatures15 process16 file17 128 Uses ping.exe to sleep 50->128 130 Uses ping.exe to check the status of other devices and networks 50->130 60 PING.EXE 50->60         started        63 conhost.exe 50->63         started        86 C:\Windows\SysWOW64\4335437.txt, PE32 53->86 dropped 132 Creates a Windows Service pointing to an executable in C:\Windows 53->132 65 cmd.exe 56->65         started        68 BackgroundTransferHost.exe 56->68         started        signatures18 process19 dnsIp20 120 127.0.0.1 unknown unknown 60->120 126 Uses ping.exe to sleep 65->126 70 conhost.exe 65->70         started        72 PING.EXE 65->72         started        signatures21 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50/
Threat name:
Win32.Trojan.Vindor
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 06:50:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnmzdtpnkllvzslto27ipgpq23s5g3v7qs4syplpngkg2ey4vnia._file
Verdict:
malicious
Similar samples:
0a06a6d30c526cbc7cf06800d016d00aed30e37f549629086a98e2a1b6500d17
Gh0stRAT
2e45f477488c99d5265e0bdd32e1e55f4e28491e0a25930127bc14f072aa0233
Gh0stRAT
727a3d9b0884726b8aa69b6368ec32032c36645c6d82a33ae569d2c94f94f4dd
Gh0stRAT
795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6
Gh0stRAT
f67a41e2609e49ffcd1922c9a892c44c3e9af7c68539c1c3ee6b6fdbedc3d437
Gh0stRAT
+ 6 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox persistence rat rootkit trojan upx
Link:
https://tria.ge/reports/230909-rrt5fsbg3v/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Drivers directory
Sets DLL path for service in the registry
Sets service image path in registry
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60
MD5 hash:
8b1eda0bf1e445f16b910bc00b57d9b9
SHA1 hash:
5bbc680644c09a94d865c2440242a2eed1243d7f
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
Parent samples :
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
SH256 hash:
e55aef92cc446dcfeb797f438a079966cc0dfe2f0713bb43c1faaf5d7ee318ca
MD5 hash:
623feff73e9e9bce9d45ba961f2580ca
SHA1 hash:
154cebc6a5e0c5e726cbae3ee2cf634ff85639e0
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
SH256 hash:
976e9c06e3d912e5f174afe98438e0741490b880befaa62b92495405a63e1dbb
MD5 hash:
953168fc583aadfc9f055fb1f15bc8f3
SHA1 hash:
0b5c27cc0a62077f4a1fc9c9d3814b79bf5cfa56
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
SH256 hash:
ec25bd63fa5f2f74f8ac02606eccc5751975bc5b4f622303a8b3b342a72fc4a4
MD5 hash:
8b3d81f68e29ecf293521d9800c257e4
SHA1 hash:
95ba90cc9a3ec64f37ff4b189124ba8271840627
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
SH256 hash:
aabc85a22d011405c3ce6f57589d90f5cbd709ad95df5b9de07624969201bce0
MD5 hash:
e974f11ba59df2179f05065dc89b051d
SHA1 hash:
421f69b34643405d829862334b4e339f1b996821
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
SH256 hash:
64c6d2464e6e87c3a52b2b59d6dd82708a2254de796442780f442640befaaab2
MD5 hash:
afa30d1823d1c1b9fd7b535f025688d9
SHA1 hash:
3a00ea8f13d26a0c9fe61ebc0b9e1201218301c1
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
SH256 hash:
ebd1e3ef847087563316ae211f1ed5c82f974935c53969f3d50f6721517a8324
MD5 hash:
12e8e81f8a3c84446a3aced572302a99
SHA1 hash:
28d286ce09bbe8cb323e92fc4f3d7b0ae1cf984c
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
SH256 hash:
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
MD5 hash:
8dc3adf1c490211971c1e2325f1424d2
SHA1 hash:
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
SH256 hash:
83f48e3c65b0e279a11339e2758b4ddf4495beacf499889f814317a82def139e
MD5 hash:
c9f7c4c9f37faa098f4ccde5e2ea58f6
SHA1 hash:
90f7a438ddaf7a4ea565283127ded64cc407b07d
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
SH256 hash:
bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50
MD5 hash:
bf994bc81c8b866ab5bff311e45a7314
SHA1 hash:
96fe2a80670a20510d674100658e61c68697869a
Link:
https://www.unpac.me/results/5212ab37-e592-4be8-85fd-445e9170c0f9/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb5991cded52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination manipulating RDP / Terminal Services
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_Nitol
Create hunting rule
Author:ditekSHen
Description:Detects Nitol backdoor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NSPack3xLiuXingPing
Create hunting rule
Author:malware-lu
Rule name:NsPacKV36LiuXingPing
Create hunting rule
Author:malware-lu
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447635/

Comments