MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebcb62b5cdb6724838ef8be9cff62ec470db60827e00d37d2ae3218c6c84a620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebcb62b5cdb6724838ef8be9cff62ec470db60827e00d37d2ae3218c6c84a620
SHA3-384 hash: 1ab2b188d7c07171b8e5c6b5f669f8e5e40a4f9abec469257ad379d893cfa62c7b34b7a74a94813f2ebb7add30901ddc
SHA1 hash: 4b581ca6d9dbf9871881e607ac04e7c7c4615f90
MD5 hash: 95f617819d5445b3d7e38ef1b9582fe2
humanhash: queen-iowa-network-artist
File name:svchost.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:139'264 bytes
First seen:2022-08-27 18:59:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8f50a4fbe43851219d890796902c6fd (3 x Gh0stRAT, 2 x YoungLotus)
ssdeep 1536:TTrx8TkMw/Za0ptGiHjdbxv7fjTHMB5RJGNoQ0u0M+xY7H56uDd+by+ik5TX:TMwRa0ptB3EpCH0u0MDN9LcNX
Threatray 42 similar samples on MalwareBazaar
TLSH T1FDD37C02F39CC162C04153BC8FA19AA95EF7FF718AE51D8B379C2BE90B34B945A2D145
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter r3dbU7z
Tags:exe Gh0stRAT GhostRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
374
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
No threats detected
Analysis date:
2022-08-27 19:00:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/337800d4-3c7a-408b-a7af-9046d4ba801d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301694/
Detection(s):
Win.Dropper.Gh0stRAT-7577253-0
Create hunting rule

Win.Dropper.Gh0stRAT-9847935-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a service
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30383/overview
Behaviour
MalwareBazaar
CallSleep
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware zusy
Link:
https://www.filescan.io/uploads/630a69f2c9bbd990979b2bd7/reports/074f851f-7dca-45ca-ba20-522ac6d5e769/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Lotok
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae242d11-8eb6-4f62-a700-f92b51a6ffe7
Result
Threat name:
Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1059026
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebcb62b5cdb6724838ef8be9cff62ec470db60827e00d37d2ae3218c6c84a620/
Threat name:
Win32.Trojan.GhostRatCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-08-27 19:00:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pfwfnonwzzeqohprpu475royrynwyecpyang7jk4mqyy3eeuyqa._file
Verdict:
malicious
Similar samples:
02e9b3ef447e4ac8c95640b35105ab021f37a23262dc4b6b0ebbe334564e02e0
Gh0stRAT
64a4ae0b63cc68ddc4a8586d6f2da627915a11729fc3d26db05e4e57f2489b95
Gh0stRAT
70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f
Gh0stRAT
a26fe271dec3eb5b7c11bbca064f6bbe9ba65b6a7a177589e32c801b8c0c4c77
Gh0stRAT
dc237f4cc7345a95adf4ed179b9270612fff48236e10dba129892186966d4056
Gh0stRAT
f67a41e2609e49ffcd1922c9a892c44c3e9af7c68539c1c3ee6b6fdbedc3d437
Gh0stRAT
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220827-xnl8bsefhk/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
e3b198f30a7e90013b93d6259a8b53d67eeb9e27176c391ebc45d1ea4bf94753
MD5 hash:
98623ccfb5440a8757103192443470ca
SHA1 hash:
d5100f7118dbbeec2b02c2efafcc9dffbcccd963
Detections:
win_younglotus_g0
Create hunting rule
win_younglotus_auto
Create hunting rule
Link:
https://www.unpac.me/results/e8da5be5-8bf4-4559-b0b9-f8eb939c36f3/
Parent samples :
70ac339c41eb7a3f868736f98afa311674da61ae12164042e44d6e641338ff1f
e8c9ef1dd0acb526355e36712841d4d843cfcac7ed2a50ec01ae12c2cf3438e9
26613cef7ccbaa737704157f03630a0a0100c1b3b2cfa1918aaaabd6bcf74ded
ebcb62b5cdb6724838ef8be9cff62ec470db60827e00d37d2ae3218c6c84a620
a5abe9b651a53a8d4e458d80a3f3d1a6cb12fd30c51c4f2c1ae385921175f977
SH256 hash:
ebcb62b5cdb6724838ef8be9cff62ec470db60827e00d37d2ae3218c6c84a620
MD5 hash:
95f617819d5445b3d7e38ef1b9582fe2
SHA1 hash:
4b581ca6d9dbf9871881e607ac04e7c7c4615f90
Link:
https://www.unpac.me/results/e8da5be5-8bf4-4559-b0b9-f8eb939c36f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.82
Link:
https://yomi.yoroi.company/submissions/ebcb62b5cdb6724838ef8be9cff62ec470db60827e00d37d2ae3218c6c84a620

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:win_younglotus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.younglotus.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe ebcb62b5cdb6724838ef8be9cff62ec470db60827e00d37d2ae3218c6c84a620

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/301694/

Comments