MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
SHA3-384 hash: 93ac30bf03a4df0b09612bba15417c4e03965d550fc99f4d05b9947c046e57d31e2b9caf116d1658afcc850a8e261077
SHA1 hash: 7c79f886d41db8c6940a78eaf176928b698dfe79
MD5 hash: 9be92b9ccb5d7469e0e136ba9c1685a3
humanhash: bakerloo-sierra-nineteen-butter
File name:RuntimeBroker.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:3'067'334 bytes
First seen:2024-01-21 02:02:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eeac73be37480fd144f387e3563a0f14 (13 x Gh0stRAT, 2 x N-W0rm, 1 x XRed)
ssdeep 49152:cjwsbCANnKXferL7Vwe/Gg0P+WhVKDmn2rJ7L9/:yws2ANnKXOaeOgmhVKDmn2rJ7LZ
Threatray 18 similar samples on MalwareBazaar
TLSH T1C5E57C43B69584B2C3C84571DE67DAB39B207EBE17F206BB7648FDC83A352847A31215
TrID 45.7% (.OCX) Windows ActiveX control (116521/4/18)
22.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
6.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.1% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon c7c74b25852555df (1 x Gh0stRAT)
Reporter adm1n_usa32
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
PCRat / Gh0st
Create hunting rule
Link:
https://www.capesandbox.com/analysis/471948/
Detection(s):
Win.Trojan.Zegost-9763840-0
Create hunting rule

Win.Malware.Farfli-9832713-0
Create hunting rule

Win.Trojan.Generic-9908305-0
Create hunting rule

Win.Trojan.Razy-9938962-0
Create hunting rule

Win.Dropper.Midie-9942397-0
Create hunting rule

Win.Trojan.Generickdz-10010918-0
Create hunting rule

Win.Malware.Flystudio-10011070-0
Create hunting rule

Win.Trojan.Generickdz-10015217-0
Create hunting rule

Win.Trojan.Generic-6305873-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Launching a process
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Moving a file to the %temp% directory
Modifying an executable file
Searching for synchronization primitives
Sending a custom TCP request
Creating a file in the drivers directory
Loading a system driver
Running batch commands
Creating a process with a hidden window
DNS request
Enabling autorun for a service
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive explorer farfli fingerprint hook iceid keylogger lolbin msiexec overlay packed packed rat rundll32 shell32
Link:
https://www.filescan.io/uploads/65ac7b5a105b9fafc70f8563/reports/2c2564bd-1f96-488e-95bf-93a02571e9bf/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Farfli
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e96b46e-7cad-44fc-9975-6fcaf45a7ce9
Result
Threat name:
Gh0stCringe, GhostRat, Mimikatz, Running
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1378137
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Creates a Windows Service pointing to an executable in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Gh0stCringe
Yara detected GhostRat
Yara detected Mimikatz
Yara detected RunningRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1378137 Sample: RuntimeBroker.exe Startdate: 21/01/2024 Architecture: WINDOWS Score: 100 55 hackerinvasion.f3322.net 2->55 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for dropped file 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 11 other signatures 2->65 9 RuntimeBroker.exe 6 2->9         started        12 TXPlatfor.exe 2->12         started        15 svchost.exe 1 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 file5 45 C:\Users\user\Desktop\HD_RuntimeBroker.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\Temp\R.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\Temp49.exe, PE32 9->49 dropped 51 C:\Users\user\AppData\Local\Temp\HD_X.dat, PE32 9->51 dropped 19 N.exe 1 1 9->19         started        23 R.exe 3 2 9->23         started        25 HD_RuntimeBroker.exe 9->25         started        81 Antivirus detection for dropped file 12->81 83 Multi AV Scanner detection for dropped file 12->83 85 Machine Learning detection for dropped file 12->85 27 TXPlatfor.exe 13 1 12->27         started        53 C:\Windows\SysWOW64\Remote Data.exe, PE32 15->53 dropped 87 Drops executables to the windows directory (C:\Windows) and starts them 15->87 29 Remote Data.exe 15->29         started        89 Checks if browser processes are running 17->89 91 Contains functionality to detect sleep reduction / modifications 17->91 signatures6 process7 file8 39 C:\Windows\SysWOW64\TXPlatfor.exe, PE32 19->39 dropped 67 Antivirus detection for dropped file 19->67 69 Multi AV Scanner detection for dropped file 19->69 71 Machine Learning detection for dropped file 19->71 31 cmd.exe 1 19->31         started        41 C:\Windows\SysWOW64\7398750.txt, PE32 23->41 dropped 73 Creates a Windows Service pointing to an executable in C:\Windows 23->73 75 Contains functionality to infect the boot sector 25->75 43 C:\Windows\System32\drivers\QAssist.sys, PE32+ 27->43 dropped 77 Sample is not signed and drops a device driver 27->77 79 Opens the same file many times (likely Sandbox evasion) 29->79 signatures9 process10 signatures11 93 Uses ping.exe to sleep 31->93 95 Uses ping.exe to check the status of other devices and networks 31->95 34 PING.EXE 1 31->34         started        37 conhost.exe 31->37         started        process12 dnsIp13 57 127.0.0.1 unknown unknown 34->57
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2023-08-24 04:37:00 UTC
File Type:
PE (Exe)
Extracted files:
141
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yxosk3funf2mar3j4ln264aqoquuxll6tmzv5xiez3ptvdiwzla._file
Verdict:
malicious
Similar samples:
0a06a6d30c526cbc7cf06800d016d00aed30e37f549629086a98e2a1b6500d17
Gh0stRAT
2e45f477488c99d5265e0bdd32e1e55f4e28491e0a25930127bc14f072aa0233
Gh0stRAT
727a3d9b0884726b8aa69b6368ec32032c36645c6d82a33ae569d2c94f94f4dd
Gh0stRAT
795eaa68705bc7de86df67b899d98c9bf359e5173ed3a1544f1a721a0316fca6
Gh0stRAT
bb5991cded52d75cc97376be8799f0d6e5d36ebf84b92c3d6f69946d131cab50
Gh0stRAT
+ 8 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox persistence rat rootkit trojan upx
Link:
https://tria.ge/reports/240121-cgpdwsceem/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Drivers directory
Sets DLL path for service in the registry
Sets service image path in registry
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Unpacked files
SH256 hash:
fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60
MD5 hash:
8b1eda0bf1e445f16b910bc00b57d9b9
SHA1 hash:
5bbc680644c09a94d865c2440242a2eed1243d7f
Detections:
Mimikatz_Strings
Create hunting rule
Hidden
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/da4e0a7f-40d6-44b3-9d83-61165b415b97/
Parent samples :
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
SH256 hash:
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
MD5 hash:
8dc3adf1c490211971c1e2325f1424d2
SHA1 hash:
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
Link:
https://www.unpac.me/results/da4e0a7f-40d6-44b3-9d83-61165b415b97/
SH256 hash:
4cb133a5b27738b7b563701e3c3a2662585f3c2588745f25be4c3ac3200ceb3e
MD5 hash:
fe0e86ba53ddc13be0979d98e0a86700
SHA1 hash:
0cc57eb91c022d5d74318b1d3ad3c309408579e0
Link:
https://www.unpac.me/results/da4e0a7f-40d6-44b3-9d83-61165b415b97/
SH256 hash:
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
MD5 hash:
4a36a48e58829c22381572b2040b6fe0
SHA1 hash:
f09d30e44ff7e3f20a5de307720f3ad148c6143b
Link:
https://www.unpac.me/results/da4e0a7f-40d6-44b3-9d83-61165b415b97/
SH256 hash:
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
MD5 hash:
9be92b9ccb5d7469e0e136ba9c1685a3
SHA1 hash:
7c79f886d41db8c6940a78eaf176928b698dfe79
Link:
https://www.unpac.me/results/da4e0a7f-40d6-44b3-9d83-61165b415b97/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471948/

Comments