MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 15

Intelligence 15 IOCs YARA 14 File information Comments

SHA256 hash:	f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd
SHA3-384 hash:	a32a3de746c17ef528a7414c4876881050a73275f45f6c8371cf86bea268cde871ec922d1973a77a8d68806ad63b7793
SHA1 hash:	dc83a46005ee88160a8b55041ea6169661889808
MD5 hash:	413bbc96bb4b07c3532fdda2988ab2cf
humanhash:	edward-single-grey-violet
File name:	f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	4'601'344 bytes
First seen:	2024-02-07 15:15:37 UTC
Last seen:	2024-02-07 17:29:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	12fa6858b9a8e262fcd26cff1e8b9251 (1 x Gh0stRAT)
ssdeep	98304:YX899zKSNAYr+KgkjPqUWnz1vxSm/f8oLE5rFqFLOAkGkzdnEVomFHKnPY:Yi8pCXMf8oLAr0FLOyomFHKnP
TLSH	T1CA2639193E4D0C29CAA3CB32D484E5B7ACE9DBA8451F43D28548F7AC1135253FD968BE
TrID	58.2% (.OCX) Windows ActiveX control (116521/4/18) 28.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 5.2% (.EXE) Win64 Executable (generic) (10523/12/4) 2.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.2% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	787c78fa87f7e6c4 (16 x Gh0stRAT, 11 x Pikabot, 9 x ManusCrypt)
Reporter	adrian__luca
Tags:	exe Gh0stRAT

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd

Verdict:

Malicious activity

Analysis date:

2024-02-07 15:15:10 UTC

Tags:

sainbox backdoor remote

Link:

https://app.any.run/tasks/1b8b9cd5-069a-4941-88bb-45644d140ec1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

PCRat / Gh0st

Link:

https://www.capesandbox.com/analysis/475215/

Detection(s):

SecuriteInfo.com.Trojan.Siggen23.21242.9400.31988.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint hook keylogger lolbin packed shell32

Link:

https://www.filescan.io/uploads/65c39ebc186112aa12a370d1/reports/943bcb6a-27d4-4485-a374-d4d36442be4a/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Farfli

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9412f761-ca64-4c11-a7e2-a6288b71ef51

Result

Threat name:

GhostRat, Mimikatz

Detection:

malicious

Classification:

bank.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1388482

Signature

Checks if browser processes are running

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected GhostRat

Yara detected Mimikatz

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2024-01-29 21:12:00 UTC

File Type:

PE (Exe)

Extracted files:

823

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6efc2ufmkx7lxdi23cifd6uxexa4otondvzk6eklxpt6xioju3oq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/240207-snfy4aga9v/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Enumerates connected drives

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

9f4e614f8da2231e45d118ae81828e0dc85fb41d97635951bea5b6a8e58b7373

MD5 hash:

fb73bc2a9920af04fa6e0174c06bd04d

SHA1 hash:

1b95e4502086ea664dc454d9de67a8fdfe820c29

Detections:

INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess

MALWARE_Win_FatalRAT

Mimikatz_Strings

MALWARE_Win_PCRat

MALWARE_Win_Zegost

Link:

https://www.unpac.me/results/fc065c07-0fe3-4367-9cc9-2edf8a2c716d/

Parent samples :

f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd
4b1cbe3c6360f552e8cdc80541ec950311ba0d5f079d1e67f3c27fe132fcec3b
69ada5ba27acac423073b251d25fc23b09e4d5127f879d07a0c4ae01366ce8a5

SH256 hash:

f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd

MD5 hash:

413bbc96bb4b07c3532fdda2988ab2cf

SHA1 hash:

dc83a46005ee88160a8b55041ea6169661889808

Link:

https://www.unpac.me/results/fc065c07-0fe3-4367-9cc9-2edf8a2c716d/

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f10a2d50ac55/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f10a2d50ac55febb8d1ad89051fa9725c1c74dcd1d72af114bbbe7eba1c9a6dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Armadillov1xxv2xx Create hunting rule
Author:	malware-lu

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess Create hunting rule
Author:	ditekSHen
Description:	Detects executables calling ClearMyTracksByProcess

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MALWARE_Win_FatalRAT Create hunting rule
Author:	ditekSHen
Description:	Detects FatalRAT

Rule name:	MALWARE_Win_PCRat Create hunting rule
Author:	ditekSHen
Description:	Detects PCRat / Gh0st

Rule name:	MALWARE_Win_Zegost Create hunting rule
Author:	ditekSHen
Description:	Detects Zegost

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	Mimikatz_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Mimikatz_Strings_RID2DA0 Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Windows_Trojan_Gh0st_ee6de6bc Create hunting rule
Author:	Elastic Security
Description:	Identifies a variant of Gh0st Rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/475215/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample