MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8e0b570da7fe439146d5ab370ae477b391f0ec38ef5bdf42d669bf68c341573. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8e0b570da7fe439146d5ab370ae477b391f0ec38ef5bdf42d669bf68c341573
SHA3-384 hash: 8b0d8203824b890146ee39aa998cc8775fc7bb55def50077f4d4d989495b66b3ca0856297c0b2d71932a287fee5e87d0
SHA1 hash: 12a15e5aaabbb31982372107850666778ced3569
MD5 hash: a5008c9723d23257805632be4344625f
humanhash: quebec-king-tango-wisconsin
File name:SecuriteInfo.com.HEUR.Backdoor.Win32.Lotok.gen.21702.27788
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:1'171'456 bytes
First seen:2025-02-28 22:54:34 UTC
Last seen:2025-02-28 23:33:24 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash d3fe4172bbb62d0cf51ae50c078e65b3 (2 x Gh0stRAT)
ssdeep 24576:JzjssbYi5BP3Wx5cuWDHyEI6CmW6GrpZ:xsEleKPH6p
TLSH T11F456C0A2E9D0C29DBA2D336C095E4E39CE9D795814F83A1D988F7D90059663FCE60FD
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10522/11/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:dll Gh0stRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
402
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.HEUR.Backdoor.Win32.Lotok.gen.21702.27788.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c240012dfba428b46f539e
Tags:
shellcode dropper virus madi
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67c23eda3c5f644bd93d43eb/reports/1494f2e6-e11f-49f5-b97a-d20705144e43/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/e8e0b570da7fe439146d5ab370ae477b391f0ec38ef5bdf42d669bf68c341573
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f30672c9-b0b6-40f2-a49f-9d70187f5249
Result
Threat name:
GhostRat, Mimikatz, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1626854
Signature
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1626854 Sample: SecuriteInfo.com.HEUR.Backd... Startdate: 28/02/2025 Architecture: WINDOWS Score: 100 36 Suricata IDS alerts for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 22 other processes 8->18 dnsIp5 44 Found evasive API chain (may stop execution after checking mutex) 10->44 46 Contains functionality to automate explorer (e.g. start an application) 10->46 48 Contains functionality to access PhysicalDrive, possible boot sector overwrite 10->48 54 4 other signatures 10->54 20 WerFault.exe 3 16 10->20         started        34 27.124.3.252, 49848, 881 BCPL-SGBGPNETGlobalASNSG Singapore 13->34 50 System process connects to network (likely due to code injection or exploit) 13->50 52 Creates an autostart registry key pointing to binary in C:\Windows 13->52 22 rundll32.exe 16->22         started        24 WerFault.exe 16 18->24         started        26 WerFault.exe 16 18->26         started        28 WerFault.exe 16 18->28         started        30 WerFault.exe 18->30         started        signatures6 process7 process8 32 WerFault.exe 22 16 22->32         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e8e0b570da7fe439146d5ab370ae477b391f0ec38ef5bdf42d669bf68c341573
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8e0b570da7fe439146d5ab370ae477b391f0ec38ef5bdf42d669bf68c341573/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5dqlk4g2p7sdsfdnlkzxblshpm4r6dwdr32335bnm2n7ndbucvzq._file
Verdict:
malicious
Label(s):
gh0strat
Create hunting rule
Similar samples:
error
Gh0stRAT
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250228-2v7vts1xbw/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
e8e0b570da7fe439146d5ab370ae477b391f0ec38ef5bdf42d669bf68c341573
MD5 hash:
a5008c9723d23257805632be4344625f
SHA1 hash:
12a15e5aaabbb31982372107850666778ced3569
Link:
https://www.unpac.me/results/da7e37de-cfd3-4490-93d2-3dd1688fb769/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8e0b570da7fe439146d5ab370ae477b391f0ec38ef5bdf42d669bf68c341573

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

DLL dll e8e0b570da7fe439146d5ab370ae477b391f0ec38ef5bdf42d669bf68c341573

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3461332/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3461333/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegSetValueExA

Comments