MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7266367dff0d4d6928ca09dcadff99afcb208bd9fa48a75964c427a332ac63d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 16

Intelligence 16 IOCs YARA 9 File information Comments

SHA256 hash:	e7266367dff0d4d6928ca09dcadff99afcb208bd9fa48a75964c427a332ac63d
SHA3-384 hash:	be3f57fda6780a5f0178b5495f80e0e5f04fc4af7e19e2c3fa9bdd2e59a9bc28b2a46cefeab6c63c96f7175526151077
SHA1 hash:	cff4234d29dbee4c28680fb251e7fd0e5b443d8d
MD5 hash:	133eb1dbef01ee6e57b7f6c8c65e3de0
humanhash:	uranus-golf-enemy-ack
File name:	133eb1dbef01ee6e57b7f6c8c65e3de0.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	458'752 bytes
First seen:	2023-04-02 11:30:18 UTC
Last seen:	2023-04-02 12:35:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	77eef4e097d1e4bdf8b3e7692e2593aa (5 x Gh0stRAT)
ssdeep	12288:bkXOs/EQaS77z/t705Hux7xGTjCbqWd+YeMU:c/EQaS77TR05OxdU
Threatray	21 similar samples on MalwareBazaar
TLSH	T1BFA4AD1233E0C877D396B1B4C9C297F5A265AF011F2599C36FB1370E2D721ADAA32E15
TrID	31.0% (.EXE) InstallShield setup (43053/19/16) 22.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.4% (.SCR) Windows screen saver (13097/50/3) 7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	50b433e53074b4c0 (6 x Gh0stRAT, 1 x Nitol)
Reporter	abuse_ch
Tags:	exe Gh0stRAT

abuse_ch

Gh0stRAT C2:
154.221.18.47:7777

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

pcrat

ID:

File name:

133eb1dbef01ee6e57b7f6c8c65e3de0.exe

Verdict:

Malicious activity

Analysis date:

2023-04-02 11:32:04 UTC

Tags:

installer rat pcrat gh0st

Link:

https://app.any.run/tasks/8e02a61b-0a7a-45fa-bb72-a72240718efd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Zegost

Link:

https://www.capesandbox.com/analysis/379336/

Detection(s):

SecuriteInfo.com.DeepScan.Generic.KillMBR.A.BD72F115.25328.20387.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for the window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/76100/overview

Behaviour

MalwareBazaar

CursorPosition

CheckScreenResolution

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

farfli greyware keylogger packed shell32.dll

Link:

https://www.filescan.io/uploads/642967785a075383fbff11bd/reports/3984aaab-7717-4713-a33b-4cac184e551c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e7266367dff0d4d6928ca09dcadff99afcb208bd9fa48a75964c427a332ac63d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6379e3e9-fb0a-4f0b-93c7-e1368e566de2

Result

Threat name:

GhostRat, Mimikatz, Nitol

Detection:

malicious

Classification:

bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1206562

Signature

Antivirus / Scanner detection for submitted sample

Checks if browser processes are running

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to infect the boot sector

Contains functionality to modify windows services which are used for security filtering and protection

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected GhostRat

Yara detected Mimikatz

Yara detected Nitol

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e7266367dff0d4d6928ca09dcadff99afcb208bd9fa48a75964c427a332ac63d/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2023-03-29 13:11:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 37 (81.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=44tggz676dknneumuco4vx7ztl6lecf5t6siu5mwjrbhumzkyy6q._file

Verdict:

malicious

Gh0stRAT

45827fa3c271acc4de2ec05ee95079341ba6f414e5c9e6a9e90526feb412e402

Gh0stRAT

45ba685ea7d66e5c0ac91b4c19a11dad0dff029f56afd15e87f8553f30f72d27

Gh0stRAT

bfc673b442809a22a48e4c70d5027c925c8eaa56caee77ff6f896d480d78dcc2

Gh0stRAT

d3e842a19d952d896bf00b7c9ae1cbdd9ca4813940f709f77abf3e45f6695951

Gh0stRAT

d727f725ef0c3837013468f9675b6a0531658d8e60f01e5762e130cbabd665d0

Gh0stRAT

+ 11 additional samples on MalwareBazaar

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:gh0strat rat

Link:

https://tria.ge/reports/230402-nmp36aga83/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates connected drives

Gh0st RAT payload

Gh0strat

Unpacked files

SH256 hash:

31913b545d5634caaa1a8c8f6631fc795bdb063226360edd959d0e609bbfb270

MD5 hash:

2a21c07fbd78ce1f06c1a5f4f9696aa2

SHA1 hash:

ad4b952f5fa8e6b5a792d9d864da63b5bd5bbfc0

Link:

https://www.unpac.me/results/fee70886-2bd5-456e-b743-590b2dd5a282/

Parent samples :

21a29333d1257e28e71774f939f0569830bcde339784ab04de0a5f8b937b1b1d
ab605210ed213b2dcda4fef16edcbce08700922f0e503282d40bdf0beaffb6d6

SH256 hash:

e7266367dff0d4d6928ca09dcadff99afcb208bd9fa48a75964c427a332ac63d

MD5 hash:

133eb1dbef01ee6e57b7f6c8c65e3de0

SHA1 hash:

cff4234d29dbee4c28680fb251e7fd0e5b443d8d

Link:

https://www.unpac.me/results/fee70886-2bd5-456e-b743-590b2dd5a282/

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e7266367dff0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.15

Link:

https://yomi.yoroi.company/submissions/e7266367dff0d4d6928ca09dcadff99afcb208bd9fa48a75964c427a332ac63d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	GhostDragon_Gh0stRAT Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report
Reference:	https://blog.cylance.com/the-ghost-dragon

Rule name:	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess Create hunting rule
Author:	ditekSHen
Description:	Detects executables calling ClearMyTracksByProcess

Rule name:	MALWARE_Win_PCRat Create hunting rule
Author:	ditekSHen
Description:	Detects PCRat / Gh0st

Rule name:	MALWARE_Win_Zegost Create hunting rule
Author:	ditekSHen
Description:	Detects Zegost

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	Mimikatz_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Mimikatz_Strings_RID2DA0 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

Rule name:	Windows_Trojan_Gh0st_ee6de6bc Create hunting rule
Author:	Elastic Security
Description:	Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/379336/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample