MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f755d085c61879c1805115cdb6f344e9c8ff3b5f7b0e261cd59694c1d82dda18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Gh0stRAT


Vendor detections: 18


Intelligence 18 IOCs YARA 17 File information Comments

SHA256 hash: f755d085c61879c1805115cdb6f344e9c8ff3b5f7b0e261cd59694c1d82dda18
SHA3-384 hash: 4c062ee00b2c1cac2325ca1a7e4f10c8858a62cc22122ec1a095aa0c70c9abe240724a29cf4ebb570aec739d7f8286bb
SHA1 hash: fc15b444c98d7a016215ea5dfb2d729b608990f9
MD5 hash: 5248553fe872c655e29ef71f6333a585
humanhash: monkey-triple-burger-carolina
File name:无常订制QQ语音神器.exe
Download: download sample
Signature Gh0stRAT
File size:826'368 bytes
First seen:2026-06-26 07:24:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8ae571e62a3de0944af5f9fc8966bc7c (1 x XRed, 1 x Gh0stRAT)
ssdeep 24576:MiZNG1yTNUMkmkRsLr9sMc1Cb1jaG74BtVFB:ug0vfEbRb4B9B
TLSH T1490522868946D169D9A098B8D1DF10FD0EFA6DD7F7004AF32508FECA7A72195332B618
TrID 39.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
21.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.3% (.EXE) Win64 Executable (generic) (6522/11/2)
6.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon acefcdcdac9cd4e7 (1 x Gh0stRAT)
Reporter Ling
Tags:exe gh0st Gh0stRAT


Avatar
CNGaoLing
Gh0stRAT
IOC (117.72.183.111 :88 / :8888)

Intelligence


File Origin
# of uploads :
1
# of downloads :
201
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
ID:
1
File name:
QQ.exe
Verdict:
Malicious activity
Analysis date:
2026-06-26 07:20:47 UTC
Tags:
auto-startup gh0st rat

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
vmdetect madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Connection attempt
Sending an HTTP GET request
Creating a file in the Windows directory
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a file
Creating a service
Launching a service
Launching a process
Moving a file to the Windows subdirectory
Searching for synchronization primitives
Loading a suspicious library
Sending a custom TCP request
Launching a file downloaded from the Internet
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper evasive microsoft_visual_cc packed reconnaissance
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-26T04:06:00Z UTC
Last seen:
2026-06-27T20:09:00Z UTC
Hits:
~100
Detections:
VHO:Backdoor.Win32.Farfli.gen Trojan.Win32.Agent.sb Trojan.Win32.Vimditator.sb Backdoor.Win32.Lotok.sbc HEUR:Trojan.Win32.Agent.gen Backdoor.Win32.Zegost.dfqn Trojan-Spy.Win32.Agent.sb VHO:Backdoor.Win32.Zegost.gen Trojan-Spy.Win64.Agent.sb Trojan-Downloader.Win32.Agent.sb Rootkit.Win64.Agent.bgp HEUR:Trojan.Win32.Generic HEUR:Backdoor.Win32.Generic Backdoor.Win32.Farfli.bwzh Trojan.Win32.Vehidis.sb HEUR:Backdoor.Win32.Lotok.gen Backdoor.Win32.Zegost.sb Backdoor.Win32.Farfli.sb Trojan.Scar.HTTP.C&C PDM:Trojan.Win32.Generic
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Trojan.FatalRAT
Status:
Malicious
First seen:
2026-06-26 07:21:07 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
fatalrat
Similar samples:
Result
Malware family:
purplefox
Score:
  10/10
Tags:
family:gh0strat family:purplefox discovery persistence rat rootkit trojan
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Sets service image path in registry
Detect PurpleFox Rootkit
Family: Gh0strat
Family: PurpleFox
Gh0st RAT payload
Unpacked files
SH256 hash:
f755d085c61879c1805115cdb6f344e9c8ff3b5f7b0e261cd59694c1d82dda18
MD5 hash:
5248553fe872c655e29ef71f6333a585
SHA1 hash:
fc15b444c98d7a016215ea5dfb2d729b608990f9
Malware family:
HiddenGh0st
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Hidden
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:JKornevHidden
Author:Still
Description:attempts to match the strings found in JKornev's Hidden rootkit
Rule name:MALWARE_Win_PCRat
Author:ditekSHen
Description:Detects PCRat / Gh0st
Rule name:meth_stackstrings
Author:Willi Ballenthin
Rule name:Mimikatz_Strings
Author:Florian Roth (Nextron Systems)
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Suspicious_Process
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_Generic_9e4bb0ce
Author:Elastic Security
Rule name:Windows_Trojan_Gh0st_ee6de6bc
Author:Elastic Security
Description:Identifies a variant of Gh0st Rat

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe f755d085c61879c1805115cdb6f344e9c8ff3b5f7b0e261cd59694c1d82dda18

(this sample)

  
Delivery method
Distributed via web download

Comments