MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4f7142b56e0f4f2134a9d446390397d7aa79691b947e76475b776f0ae97e861. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4f7142b56e0f4f2134a9d446390397d7aa79691b947e76475b776f0ae97e861
SHA3-384 hash: 2924a14a7e56785ac7a2ca0c54f60cc96b5a8cfe5ccf4b09f5055a7b7c882051de16dd508ca43e7368e3d726ff03c457
SHA1 hash: f7202adb66427a1616db3ec76adf285e2e81e8ac
MD5 hash: aad5d78715baf3a4c7145fda146df364
humanhash: paris-earth-oregon-white
File name:aad5d78715baf3a4c7145fda146df364
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:16'213'448 bytes
First seen:2024-01-03 17:02:17 UTC
Last seen:2024-01-03 19:24:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 42a4bf96ef10977cda556ef710b363f8 (1 x Gh0stRAT)
ssdeep 196608:1cj2VCjP3Gx0GaN+hn0u50iIoysG+Xcni0iYvr00E5GqJd5igOcSWUOMzn0O1kot:ZmGxrz0utIoLv520IiBOcSWUOMr0Klzf
TLSH T15FF623E793BACC34ED2620B1135616F1BB36ECAE30E1411BBDADB417907962C9CE55C2
TrID 28.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
27.6% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
17.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 80380f23272607f0 (1 x Gh0stRAT, 1 x QuasarRAT)
Reporter zbetcheckin
Tags:32 exe Gh0stRAT UPX

Intelligence

File Origin
# of uploads :
2
# of downloads :
387
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.Farfli.131.28743.28649.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Searching for the window
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug lolbin overlay packed packed packed remote upx
Link:
https://www.filescan.io/uploads/6595934ab290743934f35882/reports/27bdc05b-4f55-4a1f-a284-c7419438433c/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/d4f7142b56e0f4f2134a9d446390397d7aa79691b947e76475b776f0ae97e861
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Lotok
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2342b965-47e5-4092-bf4a-6f0141616356
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1369405
Signature
Antivirus / Scanner detection for submitted sample
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify clipboard data
Contains functionality to modify windows services which are used for security filtering and protection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d4f7142b56e0f4f2134a9d446390397d7aa79691b947e76475b776f0ae97e861
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4f7142b56e0f4f2134a9d446390397d7aa79691b947e76475b776f0ae97e861/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-01-03 17:03:13 UTC
File Type:
PE (Exe)
Extracted files:
55
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2t3rik2w4d2pee2ktvcghebzpv5kpfurxfd6ozdvw53pblux5bqq._file
Verdict:
suspicious
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox rat rootkit trojan upx
Link:
https://tria.ge/reports/240103-x3s97ahbal/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates connected drives
UPX packed file
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
525b002abe2819437b24f51b843e49b659645cca5f7dd3506e1958d33b2836ad
MD5 hash:
d2d90651d8164d07a7616bb568a87807
SHA1 hash:
9d90d17bf37cdd1024e180490d293d442830a350
Detections:
INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
MALWARE_Win_FatalRAT
Create hunting rule
Hidden
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
MALWARE_Win_Zegost
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/c23704cb-9f72-47ff-a6f1-463fe09262c4/
Parent samples :
d4f7142b56e0f4f2134a9d446390397d7aa79691b947e76475b776f0ae97e861
ad7a76c684f1bd1910142d97a01fd6373a05872a0aefd213cf85e891428fdcc7
e65ce5d4d20836181fbc041ca28853c89946013e1ab7fcd7e0bb58442f274e0d
1b6b8aa0a500b965193144be54ffe030e84f8e2936c3e92d4a2b05a8759944d3
SH256 hash:
409599109d7862e9b565efc8f86c510750b2913d32fef2cc43b09c0e8142f6e0
MD5 hash:
cb7902ed6d17130f08cd24f72f9c3483
SHA1 hash:
b61d06ae20f1153ccb94f148e89490142a0e8344
Link:
https://www.unpac.me/results/c23704cb-9f72-47ff-a6f1-463fe09262c4/
SH256 hash:
d4f7142b56e0f4f2134a9d446390397d7aa79691b947e76475b776f0ae97e861
MD5 hash:
aad5d78715baf3a4c7145fda146df364
SHA1 hash:
f7202adb66427a1616db3ec76adf285e2e81e8ac
Link:
https://www.unpac.me/results/c23704cb-9f72-47ff-a6f1-463fe09262c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4f7142b56e0f4f2134a9d446390397d7aa79691b947e76475b776f0ae97e861

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:MALWARE_Win_PCRat
Create hunting rule
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:MALWARE_Win_Zegost
Create hunting rule
Author:ditekSHen
Description:Detects Zegost
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Create hunting rule
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe d4f7142b56e0f4f2134a9d446390397d7aa79691b947e76475b776f0ae97e861

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2746230/

Comments


Avatar
zbet commented on 2024-01-03 17:02:19 UTC

url : hxxp://156.237.223.4:3668/xqbai.txt