MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e76f937ea4d7c2d08d0c6324b6e2ab00173093e005dc87f3713c2c3af7d60675. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	e76f937ea4d7c2d08d0c6324b6e2ab00173093e005dc87f3713c2c3af7d60675
SHA3-384 hash:	af61fd505a4bf659d3ba61955fdfc85636bfe2ad9c80135963519ba9c4cdb7282dfefb9711fb800e211d5d6723e7d922
SHA1 hash:	fe30de46fcd56da7edac8e9b42389f965f5612e1
MD5 hash:	4ce27050d9b4c3571df2f71dc5329be9
humanhash:	alpha-echo-wolfram-arkansas
File name:	4ce27050d9b4c3571df2f71dc5329be9.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	121'983 bytes
First seen:	2022-11-07 23:45:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	629184859e99bc7c1eff015b4e741406 (1 x Gh0stRAT)
ssdeep	1536:42ldhcpSTZYQT2mw3njOwFRHeTdh9vtNol3FxDf8lBNPcRMHvtulGghoB6ann6Nk:l5/itRjOAaVNENUlBZvPU9u/n6CYW
Threatray	84 similar samples on MalwareBazaar
TLSH	T1DEC30186025ADE96D0E8F33F68D4B45BF289045A7814ECC86CDECB582B93DA444FD94F
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	exe Gh0stRAT

abuse_ch

Gh0stRAT C2:
183.236.2.18:1415

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4ce27050d9b4c3571df2f71dc5329be9.exe

Verdict:

No threats detected

Analysis date:

2022-11-07 23:47:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ccba243c-03d1-4611-b4b0-a5274bb3382e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330280/

Detection(s):

PUA.Win.Packer.Orien-1

PUA.Win.Packer.Orien-3

PUA.Win.Packer.Orien-5

SecuriteInfo.com.Win32.PolyCrypt.100.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/49899/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bifrose cutwail packed pcclient

Link:

https://www.filescan.io/uploads/636998bc470500d17a1ed797/reports/19e4d768-682e-4882-ae7f-6459abf81c40/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Gh0st RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75919426-88ce-41ea-9c9d-aebf12f0198b

Result

Threat name:

GhostRat

Detection:

malicious

Classification:

bank.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1107818

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Checks if browser processes are running

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject threads in other processes

Creates a Windows Service pointing to an executable in C:\Windows

Deletes itself after installation

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May modify the system service descriptor table (often done to hook functions)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Yara detected GhostRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e76f937ea4d7c2d08d0c6324b6e2ab00173093e005dc87f3713c2c3af7d60675/

Threat name:

Win32.Backdoor.PcClient

Status:

Malicious

First seen:

2011-05-29 12:53:00 UTC

File Type:

PE (Exe)

AV detection:

32 of 41 (78.05%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=45xzg7ve27bnbdimmmslnyvlaaltbe7aaxoip43rhqwdv56waz2q._file

Verdict:

malicious

Gh0stRAT

1572e78bd040b8ba1a070b495df92ad34deb842e8edd732c1e4dc2c83f76357c

Gh0stRAT

3dc6f7b7778c8ecdc72aa4bf34932f6806197fd3746afd720e2deff49206ab40

Gh0stRAT

83fbbd31e43ad25a8921c98d97b287ebc8902451f7647c2266e5f0688471e8b6

Gh0stRAT

8b2737b9bcdf1165a19175c93619a6b659383b481ac0e83a5f361bc18bc69357

Gh0stRAT

+ 74 additional samples on MalwareBazaar

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:gh0strat persistence rat

Link:

https://tria.ge/reports/221107-3r92fsfbg2/

Behaviour

Suspicious behavior: LoadsDriver

Program crash

Drops file in System32 directory

Deletes itself

Loads dropped DLL

Drops file in Drivers directory

Sets DLL path for service in the registry

Gh0st RAT payload

Gh0strat

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fb3f7678-b45a-4707-ac2e-340a3c8cb887

Unpacked files

SH256 hash:

2ee04c08e5838ddef234e96b6c4d7584c023c179effb39d1362346b1e3727168

MD5 hash:

578a5dba015ebf0cda98f6cdbe5ebead

SHA1 hash:

b0fd8f16e2d5d2c5fbc28be716436489b8600d7a

Link:

https://www.unpac.me/results/883733d4-2d0c-44aa-877a-6e191673d212/

SH256 hash:

dd02b124991123d542332a2e0c6be81b90c124f036054a090b4a51245049e6b8

MD5 hash:

9cd374682f81b0ef384167ed43dbc745

SHA1 hash:

b6985a8ce29fda256b1d3692937c5bd954d67f86

Link:

https://www.unpac.me/results/883733d4-2d0c-44aa-877a-6e191673d212/

SH256 hash:

e76f937ea4d7c2d08d0c6324b6e2ab00173093e005dc87f3713c2c3af7d60675

MD5 hash:

4ce27050d9b4c3571df2f71dc5329be9

SHA1 hash:

fe30de46fcd56da7edac8e9b42389f965f5612e1

Link:

https://www.unpac.me/results/883733d4-2d0c-44aa-877a-6e191673d212/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

PcClient

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e76f937ea4d7c2d08d0c6324b6e2ab00173093e005dc87f3713c2c3af7d60675

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/330280/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample