MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe31def96d6ba1b9ad355b348b5fbbaf16675eb5bc8a0441deb40e06e7494358. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe31def96d6ba1b9ad355b348b5fbbaf16675eb5bc8a0441deb40e06e7494358
SHA3-384 hash: 83073e7b0018a0465490f2754d1e6922d6ab0ac0789d855dc961bad02f294d1ebc2976a925c5e19cf1c620fbfe797b91
SHA1 hash: 1c0664aef4e5a9dcf5df2322d236a0a9c84876c5
MD5 hash: c785c4a971afcd4e5d62b9004f47b9a9
humanhash: winner-earth-utah-sweet
File name:fe31def96d6ba1b9ad355b348b5fbbaf16675eb5bc8a0441deb40e06e7494358.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:2'944'512 bytes
First seen:2022-06-07 10:44:38 UTC
Last seen:2022-06-07 12:07:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ae722c8fd7562a046434f27b43d3bc0c (1 x Gh0stRAT)
ssdeep 49152:zcvZPUCZaoej1Z0oJnmcEz1JBNfjG14TbTH7BDXWGykmlRDh4ylcnqkun2FFiPQI:zaVUdRZ0oJnm3HTjG14T3H7BDXeRDh1V
Threatray 19 similar samples on MalwareBazaar
TLSH T124D58D12B7A2B070E63536B6C0661FFF5FB9B4301EA1814361D20E7A1BB5151AD3A39F
TrID 54.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
18.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.8% (.EXE) Win32 Executable (generic) (4505/5/1)
3.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 92aaaaaaaaaab2a2 (5 x Gh0stRAT)
Reporter obfusor
Tags:dropper exe Gh0stRAT RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
655
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
点‍击安‍装纸‍飞‍机-简‍体中文语言包.zip
Verdict:
Malicious activity
Analysis date:
2022-06-07 05:12:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e8a9118d-a3e6-483e-8dce-c3f9a3f2389f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277309/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.100440.12592.24533.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
DNS request
Launching a service
Launching a process
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware keylogger packed shell32.dll
Link:
https://www.filescan.io/uploads/629f2c34c221aaaa25bf7350/reports/08b00ee5-d9f0-47c9-97b8-fdce3c126a2e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef68a41c-c2c3-4575-a8e6-f765a31e8f6a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1008049
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe31def96d6ba1b9ad355b348b5fbbaf16675eb5bc8a0441deb40e06e7494358/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-06-06 16:15:46 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7yy556lnnoq3tljvlm2iwx53v4lgoxvvxsfaiqo6wqhanz2jinma._file
Verdict:
malicious
Similar samples:
406375a48127dd65ec739eb3aff0d5e9c8cfea159d5cca23ea64ecb990789ac7
Gh0stRAT
434292f26fea797357e82f45440c8e26013486302a0a97dc011641ed015284df
Gh0stRAT
6b4855c27525029b4ae321dfc3c3a09331ffec5a7aabf724d5e97d04c9339682
Gh0stRAT
8b4d93af831e8015390e408e5d3ca39ea69287ed500fdea41457a652a0eb336f
Gh0stRAT
b0728becdec44adb3805d56979b209171214e70f2cc9b4e8d385eb9322290f0b
Gh0stRAT
bb6aed55da4225ebf59c253940fd805326b404da3986b75db64cc2ea9c5a40df
Gh0stRAT
bd89f4b43df255b712bba25ff9e8fca06b42e69a623f9650ebb5fe7112131580
Gh0stRAT
d066a84aa7198a0e30c6e655386ae8f000c024e468a3a99aad1b70e098ff53bd
Gh0stRAT
d3eea564009b7ebf8461fe6260105dd0a93dc3b817738837674d453ae574fcb7
Gh0stRAT
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220607-mtds2adfb5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
fe31def96d6ba1b9ad355b348b5fbbaf16675eb5bc8a0441deb40e06e7494358
MD5 hash:
c785c4a971afcd4e5d62b9004f47b9a9
SHA1 hash:
1c0664aef4e5a9dcf5df2322d236a0a9c84876c5
Link:
https://www.unpac.me/results/d474da2b-21ec-4702-aa8c-3d0ce180f6f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe31def96d6ba1b9ad355b348b5fbbaf16675eb5bc8a0441deb40e06e7494358

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/277309/

Comments