MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d
SHA3-384 hash: efc1d16f8824b989e748f3b90cc31db1978e7bcb7b6bdb231765f7362338331558fc6ccfd5472a0f72343e0bb3843f0a
SHA1 hash: 5cca20082b4fda84f6fad7446d0d3e7c969edc56
MD5 hash: 33bede7ea0b8b8c42e877d069a40c357
humanhash: mexico-glucose-oven-dakota
File name:33bede7ea0b8b8c42e877d069a40c357
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:406'016 bytes
First seen:2024-01-09 05:24:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19d4e66d725c89ba6712b82bebc8196d (5 x Gh0stRAT, 2 x PurpleFox, 1 x YoungLotus)
ssdeep 12288:sb5DbPowllDRf9Ib2JONfUcri1RcQP2aB:s9Dbg6lV9C2JOBUIc12aB
Threatray 16 similar samples on MalwareBazaar
TLSH T1E18412917F4541A3C30A3A74CDE08F554E145FE11E28298FBD787BA8D9B02DE2C62E4B
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.ICL) Windows Icons Library (generic) (2059/9)
dhash icon f0f4e8cccce8d4f0 (8 x Gh0stRAT, 1 x Nitol, 1 x MimiKatz)
Reporter zbetcheckin
Tags:32 exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d.exe
Verdict:
Malicious activity
Analysis date:
2024-01-09 05:27:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e8b54d62-ba89-45e3-bb7b-e751635cf6ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat / Gh0st
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469961/
Detection(s):
Win.Trojan.Farfli-7639977-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Сreating synchronization primitives
DNS request
Launching cmd.exe command interpreter
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
farfli packed xpack
Link:
https://www.filescan.io/uploads/659cd8af8369fab94de849d1/reports/dfcc920d-3a6b-4c2b-b052-5f68289dbd01/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Farfli
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/255fc366-642d-4973-82ed-adadcc18cefe
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1371616
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2024-01-05 14:38:00 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ydnfe5rf4sh7qzyzn56qzmurc7k2rw2c274aeycp2ihk76rlr5gq._file
Verdict:
malicious
Similar samples:
2e45f477488c99d5265e0bdd32e1e55f4e28491e0a25930127bc14f072aa0233
Gh0stRAT
52d7f88f2af1afe7ca436c7553bc9f46d0b61d43a49458b1de79e66640a8b957
Gh0stRAT
795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6
Gh0stRAT
a18e86dbfe2bee1ca87206bc3becd03bff4cd82be7747cb73ea3ed04191aef49
Gh0stRAT
bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50
Gh0stRAT
+ 6 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox rat rootkit trojan upx
Link:
https://tria.ge/reports/240109-f4ae2aggfq/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Enumerates connected drives
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
af08dc9b09349ee909cf75ed123aba359ec1026b0943c7ed0ce01fb028c3af48
MD5 hash:
6402bf341201184f92a81783c672dcc6
SHA1 hash:
fbd73585e383a8b8deab07b0899eccae75d48217
Detections:
Mimikatz_Strings
Create hunting rule
Hidden
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/22b5c520-e443-48a0-bd35-aa3ce395ab57/
Parent samples :
c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
SH256 hash:
c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d
MD5 hash:
33bede7ea0b8b8c42e877d069a40c357
SHA1 hash:
5cca20082b4fda84f6fad7446d0d3e7c969edc56
Link:
https://www.unpac.me/results/22b5c520-e443-48a0-bd35-aa3ce395ab57/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0da527625e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe c0da527625e48ff867196f7d0cb29117d5a8db42d7f802604fd20eaffa2b8f4d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469961/
  
URLhaus
https://urlhaus.abuse.ch/url/2747445/

Comments


Avatar
zbet commented on 2024-01-09 05:24:59 UTC

url : hxxp://49.232.142.48/srr.exe