MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e
SHA3-384 hash: 4e46d62a11a096224b0cd4356e5b593a9de9b92366ae2fa5a965aeebe9247aa14b55884e63fa443b309cb88a4202d9ae
SHA1 hash: 1a32349b2f09df58408b25fa5db5d432faf1fe9a
MD5 hash: e8f229e37cdfba2fec3d2734d5b36259
humanhash: oxygen-fix-pip-berlin
File name:cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'720'320 bytes
First seen:2022-01-07 08:36:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a99d91e1b68c500bb1244eb377c47a1 (4 x MimiKatz, 1 x Gh0stRAT)
ssdeep 24576:1KPPPkb8N5ECHlJ0ClyDgcnLS6FscTlPxHRdfQZv60grI8PQvixtpBZuYY6mqmFi:QPPEKNJIDgDcTlJHTfQfgsUxt0u+/K
Threatray 84 similar samples on MalwareBazaar
TLSH T10385332296F671D1F1B76B3A91BF1420C32A7E2A1D7C62D51F75A409ACA2FD4F804723
File icon (PE):PE icon
dhash icon 106c2cac68104c2c (2 x Gh0stRAT, 1 x MimiKatz)
Reporter JAMESWT_WT
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e
Verdict:
Suspicious activity
Analysis date:
2022-01-07 08:36:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c86b189-4d8c-43c7-aec3-af45d51f0f35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217679/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Win.Malware.Azorult-9785201-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Searching for the window
Sending a custom TCP request
DNS request
Launching a process
Creating a file
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61d7fbb01c0d769df9d51852/reports/cbf8848c-f517-4800-bd1e-08e56b27c3bf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d611e7d-c749-46e2-9fa9-2da922c3234c
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916727
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549201 Sample: HbhHJSZSjE Startdate: 07/01/2022 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 7 QAiyqi.exe 2->7         started        10 HbhHJSZSjE.exe 1 2 2->10         started        13 svchost.exe 2->13         started        15 10 other processes 2->15 process3 file4 56 Antivirus detection for dropped file 7->56 58 Multi AV Scanner detection for dropped file 7->58 60 Detected unpacking (changes PE section rights) 7->60 68 3 other signatures 7->68 17 QAiyqi.exe 1 7->17         started        32 C:\Windows\SysWOW64\QAiyqi.exe, PE32 10->32 dropped 34 C:\Windows\...\QAiyqi.exe:Zone.Identifier, ASCII 10->34 dropped 62 Tries to evade analysis by execution special instruction which cause usermode exception 10->62 64 Hides threads from debuggers 10->64 21 cmd.exe 1 10->21         started        66 Changes security center settings (notifications, updates, antivirus, firewall) 13->66 23 MpCmdRun.exe 1 13->23         started        signatures5 process6 dnsIp7 36 206.119.83.131, 49752, 8081 COGENT-174US United States 17->36 38 192.168.2.1 unknown unknown 17->38 50 Hides threads from debuggers 17->50 52 Uses ping.exe to sleep 21->52 54 Uses ping.exe to check the status of other devices and networks 21->54 25 PING.EXE 1 21->25         started        28 conhost.exe 21->28         started        30 conhost.exe 23->30         started        signatures8 process9 dnsIp10 40 127.0.0.1 unknown unknown 25->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 14:02:38 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 28 (85.71%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpeztoah5fqqnivkjvcx3vi27lcsz3qxjzpx5uckl45aw5avb5pa._file
Verdict:
malicious
Similar samples:
03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947
Gh0stRAT
0e7788bda2da25fa8b20310c6cb0618c0a1b989f72006f96526704a6b8c90866
Gh0stRAT
1bd4eeb7f7ae8a4ca1fb2fcf673cbb810ca123d6672a1d6d10ed317688ffcfac
Gh0stRAT
389ddb82e254c476a6e3e2534182314d4702ce525371c2bcd5da6ef19d4851fb
Gh0stRAT
3ce7a091f24c19dd1a0875c60f9e97ee017435614198c62ca97220658723b785
Gh0stRAT
62b14085994023f524c75bb0078c9bb78c5b0e5d82364b87ca7530c041f0ec5d
Gh0stRAT
8872e76ffc38017c1b3ef4b07756edb26c82cf45cceb8ed4d8c153c358fb5674
Gh0stRAT
af46e5160e837fafd904b62bd81795beefa95ec11d854cedee7565a991210d87
Gh0stRAT
ea45f9b3dd2e613bb9cb0659dcf6d66ca092738fc510e37226bb99542ad685c8
Gh0stRAT
f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170
Gh0stRAT
+ 74 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220107-kh694acae5/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e
MD5 hash:
e8f229e37cdfba2fec3d2734d5b36259
SHA1 hash:
1a32349b2f09df58408b25fa5db5d432faf1fe9a
Link:
https://www.unpac.me/results/a1ef7c79-4f87-4015-a25d-e41b14b68ac1/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cbc999b807e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:win_iceid_core_ldr_202104
Create hunting rule
Author:Thomas Barabosch, Telekom Security
Description:2021 loader for Bokbot / Icedid core (license.dat)
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217679/

Comments