MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6af3ecd4095b7625da3136f209818c4d96689289eddfc3dcff444db9d4ca9c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6af3ecd4095b7625da3136f209818c4d96689289eddfc3dcff444db9d4ca9c1
SHA3-384 hash: 133d1bd59a8b62f39177084472447417ca060271184788dee3e3a48d28417570ddbfb74e7271e64bc05a08563cad570a
SHA1 hash: bdcbf9074e6fbfa67a6a03e3c7b0506202a6895c
MD5 hash: 912c1da61d3810a78d0d5add6cfbf53a
humanhash: nevada-undress-nineteen-butter
File name:EasyPay.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:2'129'920 bytes
First seen:2022-01-07 08:26:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ec1c61daea7fc01cadcf4054eb30cb0 (1 x Gh0stRAT)
ssdeep 49152:brLYKWmHPPZUQyYbxPtI2SsqBjlc+1ALB+fbmdxJZzng:bpWoPZUmttvSselc++B+fbmdxJZ7
Threatray 56 similar samples on MalwareBazaar
TLSH T1B2A533F4672B1476D1839D3C80A312ADFB1529D3EA319C8BD89CC7F59B926D7112A332
File icon (PE):PE icon
dhash icon 30f0cc8696cccccc (1 x Gh0stRAT)
Reporter JAMESWT_WT
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EasyPay.exe
Verdict:
Malicious activity
Analysis date:
2022-01-07 08:24:34 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/707df8cd-5d72-4bba-ac98-9b67d7ace961

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217677/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.32439.18799.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a UDP request
Launching a service
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the Windows subdirectories
Creating a service
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/61d7f95a02e388f9fdb263db/reports/43e3fb45-9698-4dfa-aafb-37b17cfc87a5/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ddd39644-92bd-475c-bbd5-70759122ab94
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916720
Signature
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549194 Sample: EasyPay.exe Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected Mimikatz 2->51 53 3 other signatures 2->53 8 EasyPay.exe 2 2->8         started        12 DGtldt.exe 2->12         started        14 svchost.exe 1 2->14         started        16 3 other processes 2->16 process3 file4 41 C:\Users\user\Desktop#irtkes.exe, PE32 8->41 dropped 63 Drops PE files to the user root directory 8->63 18 Desktop#irtkes.exe 1 1 8->18         started        22 cmd.exe 1 8->22         started        65 Multi AV Scanner detection for dropped file 12->65 67 Detected unpacking (changes PE section rights) 12->67 69 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->69 71 3 other signatures 12->71 24 DGtldt.exe 1 12->24         started        signatures5 process6 dnsIp7 39 C:\Windows\SysWOW64\DGtldt.exe, PE32 18->39 dropped 55 Multi AV Scanner detection for dropped file 18->55 57 Detected unpacking (changes PE section rights) 18->57 59 Tries to evade analysis by execution special instruction which cause usermode exception 18->59 27 cmd.exe 1 18->27         started        30 conhost.exe 22->30         started        32 PING.EXE 1 22->32         started        45 193.203.214.98, 49754, 8080 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK Hong Kong 24->45 61 Hides threads from debuggers 24->61 file8 signatures9 process10 signatures11 73 Uses ping.exe to sleep 27->73 75 Uses ping.exe to check the status of other devices and networks 27->75 34 PING.EXE 1 27->34         started        37 conhost.exe 27->37         started        process12 dnsIp13 43 127.0.0.1 unknown unknown 34->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6af3ecd4095b7625da3136f209818c4d96689289eddfc3dcff444db9d4ca9c1/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 08:24:47 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2xt5tkasw3wexndcnxsbgayytmwncjit3o7ypop6rcnxhkmvhaq._file
Verdict:
malicious
Similar samples:
03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947
Gh0stRAT
1bd4eeb7f7ae8a4ca1fb2fcf673cbb810ca123d6672a1d6d10ed317688ffcfac
Gh0stRAT
389ddb82e254c476a6e3e2534182314d4702ce525371c2bcd5da6ef19d4851fb
Gh0stRAT
3ce7a091f24c19dd1a0875c60f9e97ee017435614198c62ca97220658723b785
Gh0stRAT
62b14085994023f524c75bb0078c9bb78c5b0e5d82364b87ca7530c041f0ec5d
Gh0stRAT
8872e76ffc38017c1b3ef4b07756edb26c82cf45cceb8ed4d8c153c358fb5674
Gh0stRAT
af46e5160e837fafd904b62bd81795beefa95ec11d854cedee7565a991210d87
Gh0stRAT
cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e
Gh0stRAT
ea45f9b3dd2e613bb9cb0659dcf6d66ca092738fc510e37226bb99542ad685c8
Gh0stRAT
f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170
Gh0stRAT
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/220107-kce9escad4/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Deletes itself
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
c6af3ecd4095b7625da3136f209818c4d96689289eddfc3dcff444db9d4ca9c1
MD5 hash:
912c1da61d3810a78d0d5add6cfbf53a
SHA1 hash:
bdcbf9074e6fbfa67a6a03e3c7b0506202a6895c
Link:
https://www.unpac.me/results/d4f1f425-eccb-4e3b-a89c-122d8803f292/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6af3ecd4095b7625da3136f209818c4d96689289eddfc3dcff444db9d4ca9c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/Jirehlov/status/1479359110399205380?s=20
Cape
Cape
https://www.capesandbox.com/analysis/217677/

Comments