MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e248843812031027dd510d9dadaf973dcf15a1f081fceb39069170f8b2168882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e248843812031027dd510d9dadaf973dcf15a1f081fceb39069170f8b2168882
SHA3-384 hash: b1087990622f2006b81d1bf1e8f4506b0e1086b1264960c7790c6b82c8489b53bd44b86e0dc8831b6d83549765464ce4
SHA1 hash: 27990ca7b87ee8f0de27c498d598118830bc26e2
MD5 hash: adebe32cba2a072790e25d6d8ea87c9f
humanhash: december-purple-ceiling-pluto
File name:SpaceCity.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:793'600 bytes
First seen:2022-12-16 14:28:46 UTC
Last seen:2022-12-16 16:36:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d13d399db15c51a1337d692663151209 (3 x Gh0stRAT, 1 x Zegost)
ssdeep 12288:zaia+of8EJE4zszA+MkJPSS7lWo/TzHDqsZDD9OItfD5HgHq/lLguf:zaizYtsM6TjDqWDgwfZ8YLguf
Threatray 205 similar samples on MalwareBazaar
TLSH T14EF45A27E3B18BBDC156C13E81A28E19A73FB87D0733C1D745828619EB59AC01F3566E
TrID 59.1% (.SCR) Windows screen saver (13097/50/3)
13.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
9.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 7b4fcc44361e14a4 (3 x Gh0stRAT, 1 x Zegost)
Reporter iamdeadlyz
Tags:45-153-241-207 exe FakeGaliXCity Gh0stRAT SpaceCity


Avatar
Iamdeadlyz
From spacecity.games (impersonation of galixcity.io)
Taken from: e7f2167e3006889d98d73693be1a1b67ef77359f7850adee8fa079046f0c8c28
Gh0stRAT C&C: 45.153.241.207:1016

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SpaceCity.exe
Verdict:
No threats detected
Analysis date:
2022-12-16 14:30:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cbd090b1-5794-4697-aec5-0e010ac9d3dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347013/
Detection(s):
SecuriteInfo.com.FileRepMalware.22913.9852.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/52773/overview
Behaviour
MalwareBazaar
LanguageCheck
CheckNumberOfProcessor
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
cmd.exe packed
Link:
https://www.filescan.io/uploads/639c80b073102ebf5216ace3/reports/14b6fd10-8283-46b1-856b-f4ef384a9d2a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ee05b3eb-86bd-47df-8e23-566be0aebce3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1135758
Signature
Malicious sample detected (through community Yara rule)
Yara detected Obfuscated Powershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 768488 Sample: SpaceCity.exe Startdate: 16/12/2022 Architecture: WINDOWS Score: 52 16 Malicious sample detected (through community Yara rule) 2->16 18 Yara detected Obfuscated Powershell 2->18 7 SpaceCity.exe 2 2->7         started        process3 file4 14 C:\Users\user\AppData\Local\...\0LYAEON2.bat, ASCII 7->14 dropped 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e248843812031027dd510d9dadaf973dcf15a1f081fceb39069170f8b2168882/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jeiioasamicpxkrbwo23l4xhxhrlipqqh6owoigsfyprmqwrcba._file
Verdict:
unknown
Similar samples:
0331c7bca665f36513377fc301cbb32822ff35f92511579d699613f0bb624802
Gh0stRAT
12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d
Gh0stRAT
23fcbffb6a6eac85e59c0c52280ea7fa6a5859fd8f362aa91a1a3e11f6352a88
Gh0stRAT
273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735
Gh0stRAT
4d34fa5e98a0ad7ddf5604a31286b984c8e368a67b05f979dfd6c824481bbe5f
Gh0stRAT
7ceb6d9e04042cd53b9c374e69cbf22e05edff6571a01610b844963d881e1057
Gh0stRAT
94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98
Gh0stRAT
a0adb7d7f0a24b3882b1a9c4ce48c4ab23de093845dc6e949d6d036a64a33762
Gh0stRAT
a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d
Gh0stRAT
a803b45c52fc4db19e364eddfad59a4b131e7552053217d547916bcbfdf8589b
Gh0stRAT
+ 195 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221216-rtj29shf6v/
Behaviour
Suspicious use of WriteProcessMemory
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0a59d515-7b3e-4baa-bd59-e17755db631e
Unpacked files
SH256 hash:
e248843812031027dd510d9dadaf973dcf15a1f081fceb39069170f8b2168882
MD5 hash:
adebe32cba2a072790e25d6d8ea87c9f
SHA1 hash:
27990ca7b87ee8f0de27c498d598118830bc26e2
Link:
https://www.unpac.me/results/2c96435d-bf15-4327-8052-a19e806f8a60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e248843812031027dd510d9dadaf973dcf15a1f081fceb39069170f8b2168882

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e7f2167e3006889d98d73693be1a1b67ef77359f7850adee8fa079046f0c8c28

Gh0stRAT

Executable exe e248843812031027dd510d9dadaf973dcf15a1f081fceb39069170f8b2168882

(this sample)

Gh0stRAT

Executable exe 78be65f626e4a9e81c655b36c96dacc8898287d4954cbffd98788e602369f8ca

Gh0stRAT

Batch (bat) bat 45c3def87b7c9a748044bc2384ae52de40b83c401c39d0c3074af8ceff55961d

  
Dropped by
SHA256 e7f2167e3006889d98d73693be1a1b67ef77359f7850adee8fa079046f0c8c28
  
Dropping
SHA256 45c3def87b7c9a748044bc2384ae52de40b83c401c39d0c3074af8ceff55961d
  
Dropping
SHA256 78be65f626e4a9e81c655b36c96dacc8898287d4954cbffd98788e602369f8ca
  
Dropping
SHA256 75a050c99cb24f2bfb3f40502fb960644e7c2f4ed143fdb5479a95a2ad487482
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2466675/
Cape
Cape
https://www.capesandbox.com/analysis/347013/
  
Dropping
MD5 c1f85f7e2b152853592d3ed8625eab34

Comments