MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8ebd4c7733192b5844e56db100ca215583742cf5db77a2a579e934eb27160d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	d8ebd4c7733192b5844e56db100ca215583742cf5db77a2a579e934eb27160d1
SHA3-384 hash:	d79add23d35530279dbbd7e71edf94b3412924695a8341b893d6037eb1ab255356d0e7f3b530a8497e4f507991878bed
SHA1 hash:	0bf7464f6d08f7ba1a27fe372b57206865b34605
MD5 hash:	bf898b6c42becf5ee4f7c69419d37a80
humanhash:	finch-vermont-hamper-iowa
File name:	bf898b6c42becf5ee4f7c69419d37a80.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	179'181 bytes
First seen:	2023-12-27 10:40:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b7f39532728ce325dc91e2c72b9d27ee (6 x Gh0stRAT)
ssdeep	3072:VJuGnYhTbK80khbOW1oWOQ1f9xHwm1PXBmXZFeA28pMGEdePl9dehiv80P80CnpZ:VJueTk1OwoWOQ3dwaWB28adeP/deUv8M
Threatray	7 similar samples on MalwareBazaar
TLSH	T196048C02BBC740FAEA68013C14BB3776963BAD986B095FD3A318EE755833151E633247
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	bafaacaaa28ee870 (8 x Gh0stRAT)
Reporter	abuse_ch
Tags:	exe Gh0stRAT

abuse_ch

Gh0stRAT C2:
175.203.14.166:80

Intelligence

File Origin

# of uploads :

# of downloads :

358

Origin country :

Vendor Threat Intelligence

Detection:

PcClient

Link:

https://www.capesandbox.com/analysis/469444/

Detection(s):

Win.Dropper.Shiz-9020206-0

Win.Trojan.Redosdru-9867762-0

Win.Trojan.ZeGhost-9963605-0

Win.Trojan.Generic-9967942-0

Win.Trojan.Pcclient-6804142-0

Win.Trojan.Siggen-6119664-0

Win.Trojan.Yq3a4ke3uwdb-6961395-0

Win.Spyware.84392-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Launching a process

Creating a process with a hidden window

Creating a window

Sending a custom TCP request

Unauthorized injection to a system process

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive farfli gh0strat hook hupigon keylogger lolbin overlay rat redosdru regedit rundll32 shell32

Link:

https://www.filescan.io/uploads/658bff3ff4b6e5e1635c1816/reports/4f594d06-9604-4363-9e12-4eca697312a2/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d8ebd4c7733192b5844e56db100ca215583742cf5db77a2a579e934eb27160d1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Gh0st RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/41fcea32-5be6-4421-a690-1466e8e645bc

Result

Threat name:

GhostRat

Detection:

malicious

Classification:

bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1367333

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Checks if browser processes are running

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject threads in other processes

Contains functionality to modify clipboard data

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected GhostRat

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d8ebd4c7733192b5844e56db100ca215583742cf5db77a2a579e934eb27160d1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d8ebd4c7733192b5844e56db100ca215583742cf5db77a2a579e934eb27160d1/

Threat name:

Win32.Backdoor.PcClient

Status:

Malicious

First seen:

2023-12-24 10:51:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 23 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3dv5jr3tggjllbcok3nradfccvmdoqwplw3xuksxt2ju5mtrmdiq._file

Verdict:

malicious

Gh0stRAT

78366b123438b7cd2f167e49623104b76a0e27334ce3f39b91a36abe8c67d665

Gh0stRAT

bf05e2a7becec76c1c9d4754a57b84d02201249d05a5d4b67d59992155587996

Gh0stRAT

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:gh0strat persistence rat

Link:

https://tria.ge/reports/231227-mq39hsdehr/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates connected drives

Loads dropped DLL

Modifies Installed Components in the registry

Gh0st RAT payload

Gh0strat

Unpacked files

SH256 hash:

d8ebd4c7733192b5844e56db100ca215583742cf5db77a2a579e934eb27160d1

MD5 hash:

bf898b6c42becf5ee4f7c69419d37a80

SHA1 hash:

0bf7464f6d08f7ba1a27fe372b57206865b34605

Detections:

win_runningrat_auto

GhostDragon_Gh0stRAT

Link:

https://www.unpac.me/results/031faa2c-0410-4ac0-b055-4e3810a8ce91/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

PcClient

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d8ebd4c7733192b5844e56db100ca215583742cf5db77a2a579e934eb27160d1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/469444/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample