MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc0805d05fc33c51f6771335bcdfae9b03ee125018cde02cd4b45b7818e11357. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc0805d05fc33c51f6771335bcdfae9b03ee125018cde02cd4b45b7818e11357
SHA3-384 hash: d44bf75e1624f29c3e8f3f20bcd72e89b62b12e583daee5647136f4991f679be20bdc6f453127f25f1147f88ccb68eff
SHA1 hash: 409097d48da7ae8fbed7699f941890d993d433ee
MD5 hash: 1c673668cf26857e620fb532b676b3b8
humanhash: timing-washington-queen-zebra
File name:1c673668cf26857e620fb532b676b3b8.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:12'661'760 bytes
First seen:2023-03-10 06:53:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 196608:FgF3ZyqzxbAQvaNJm3AqowejuJDUX47dwdW0tnFwB2nT7vYPJSuI2wlH:2FJyyxy/m3poaUX47d4VnNHeU
Threatray 170 similar samples on MalwareBazaar
TLSH T157D63385B2F008F6D4759235D981D970A7BAF836077496CF9388427B1F33AD0A877E26
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c673668cf26857e620fb532b676b3b8.exe
Verdict:
Malicious activity
Analysis date:
2023-03-10 06:58:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d0132960-8f3f-401a-bad6-a45cce6c1c15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373216/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/640ad40d25f33fb2381ccdb0/reports/511fec94-9f2a-4961-a932-2b9283ca9f61/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/cc0805d05fc33c51f6771335bcdfae9b03ee125018cde02cd4b45b7818e11357
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5663c36f-86e6-4956-b579-01e9c161b7a2
Result
Threat name:
GhostRat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1190936
Signature
Found potential ransomware demand text
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823809 Sample: UnDdPNQph4.exe Startdate: 10/03/2023 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected GhostRat 2->60 62 2 other signatures 2->62 9 UnDdPNQph4.exe 4 2->9         started        process3 file4 42 C:\Users\user\AppData\Local\...\registers.exe, PE32 9->42 dropped 44 C:\Users\user\...behaviorgraphfFJZjFnNJclIAIn.exe, PE32+ 9->44 dropped 46 C:\Users\user\AppData\...\UnDdPNQph4.exe.log, CSV 9->46 dropped 12 GfFJZjFnNJclIAIn.exe 72 9->12         started        16 conhost.exe 9->16         started        process5 file6 48 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 12->48 dropped 50 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 12->50 dropped 52 C:\Users\user\AppData\...\win32security.pyd, PE32+ 12->52 dropped 54 65 other files (none is malicious) 12->54 dropped 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->64 66 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 12->66 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->68 70 4 other signatures 12->70 18 GfFJZjFnNJclIAIn.exe 6 12->18         started        signatures7 process8 process9 20 cmd.exe 1 18->20         started        22 cmd.exe 1 18->22         started        24 cmd.exe 1 18->24         started        26 146 other processes 18->26 process10 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 139 other processes 26->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc0805d05fc33c51f6771335bcdfae9b03ee125018cde02cd4b45b7818e11357/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 15:24:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
1396
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqealuc7ym6fd5txcm23zx5otmb64esqddg6alguwrnxqghbcnlq._file
Verdict:
malicious
Similar samples:
5e10ebc93952475c75c3c489ccdf4631faadfbabf7788104b4a96138aecc9ebb
Gh0stRAT
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6
Gh0stRAT
a7464778a0d5080c8cc2b9243548e9db4ac6c60af794c4eb536c65de9762e90c
Gh0stRAT
afca37e4b44aced677169e1e1b898cb49a2d689f8322e6e824f97ca9a5d49443
Gh0stRAT
b5f90012b877cff4a4af07a995edf81c19235369365c4f9118202c909d157a69
Gh0stRAT
ba3dcb22690e011caffff1c9c0f327c61a26fa16ae987222bf6df35d5bd44458
Gh0stRAT
ccc9894ae7557a69148494ded97c5e496b6729022eaa1c62e1bd1ad71cf07d84
Gh0stRAT
d45a1b5534537ec33ee203c046c53759b43cad93541793888b61f1371d3a8a2d
Gh0stRAT
eb9445e9be4d04ce2f6248e43d0cd912b157ca36ee8da123430f94d8609c219b
Gh0stRAT
+ 160 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/230310-hn8n1aca68/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
311cc6f63160f6c7a12946de981151ed1d76c11330b4d9b2c73dfcb27217b389
MD5 hash:
3d0968ad4602d7f1a6ea88ed5cb83ef6
SHA1 hash:
5365bef491bde6c086fff7e4aaa851f551648859
Link:
https://www.unpac.me/results/ea7a12ff-ce8b-4f30-82c9-7c1e6c68a719/
SH256 hash:
cc0805d05fc33c51f6771335bcdfae9b03ee125018cde02cd4b45b7818e11357
MD5 hash:
1c673668cf26857e620fb532b676b3b8
SHA1 hash:
409097d48da7ae8fbed7699f941890d993d433ee
Link:
https://www.unpac.me/results/ea7a12ff-ce8b-4f30-82c9-7c1e6c68a719/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc0805d05fc33c51f6771335bcdfae9b03ee125018cde02cd4b45b7818e11357

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe cc0805d05fc33c51f6771335bcdfae9b03ee125018cde02cd4b45b7818e11357

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2559923/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/373216/

Comments