ScreenShot
| Created | 2024.03.17 10:42 | Machine | s1_win7_x6403 |
| Filename | Jserver.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 67 detected (AIDetectMalware, lNr1, malicious, high confidence, score, Aksula, GenericRXER, Redosdru, unsafe, Save, Dialer, Farfli, Generickdz, cdfh, rkaxu, Zegost, CLASSIC, bmnya, DownLoader5, SM34, high, Detected, ai score=82, HeurC, KVM003, Kryptik, BHFS@56cp6y, NOSK, R29369, ZexaF, JyuaaaazxVib, SScope, SvcHorse, P2PWorm, GenAsa, KukhCishWjo, Static AI, Malicious PE, susgen, confidence, 100%) | ||
| md5 | acb1db4ec57c38396cf879d242fc163b | ||
| sha256 | 37e1355e114e63d1124f0db59fd33223c6a6664dc6858c9c418948ebaa132afb | ||
| ssdeep | 12288:nruM9FNatyT3gNCpOdn/u9cZNJ7QD7HZ5rbx:q+atynpOd//zJO7HX | ||
| imphash | a0158c18d7c57554131cbbf4101b1cab | ||
| impfuzzy | 24:2cDooTajRiOovuSrWyM/Kujgv8ERyvxrTl4:xejR1hcQ5xd4 | ||
Network IP location
Signature (15cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 67 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| watch | Creates known Zegost files |
| watch | Detects VMWare through the in instruction feature |
| watch | Installs itself for autorun at Windows startup |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Expresses interest in specific running processes |
| notice | Foreign language identified in PE resource |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| info | One or more processes crashed |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (6cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Backdoor_GhostRAT_Zero | Win Backdoor GhostRAT | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Suricata ids
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x458154 HeapAlloc
0x458158 GetProcessHeap
0x45815c VirtualAlloc
0x458160 VirtualProtect
0x458164 VirtualFree
0x458168 GetProcAddress
0x45816c LoadLibraryA
0x458170 IsBadReadPtr
0x458174 HeapFree
0x458178 FreeLibrary
0x45817c IsBadWritePtr
0x458180 HeapValidate
0x458184 GetModuleHandleA
0x458188 GetStartupInfoA
0x45818c GetCommandLineA
0x458190 GetVersion
0x458194 ExitProcess
0x458198 DebugBreak
0x45819c GetStdHandle
0x4581a0 WriteFile
0x4581a4 InterlockedDecrement
0x4581a8 OutputDebugStringA
0x4581ac InterlockedIncrement
0x4581b0 GetModuleFileNameA
0x4581b4 HeapReAlloc
0x4581b8 GetLastError
0x4581bc GetEnvironmentVariableA
0x4581c0 GetVersionExA
0x4581c4 HeapDestroy
0x4581c8 HeapCreate
0x4581cc TerminateProcess
0x4581d0 GetCurrentProcess
0x4581d4 UnhandledExceptionFilter
0x4581d8 FreeEnvironmentStringsA
0x4581dc FreeEnvironmentStringsW
0x4581e0 WideCharToMultiByte
0x4581e4 GetEnvironmentStrings
0x4581e8 GetEnvironmentStringsW
0x4581ec SetHandleCount
0x4581f0 GetFileType
0x4581f4 RtlUnwind
0x4581f8 SetConsoleCtrlHandler
0x4581fc MultiByteToWideChar
0x458200 GetStringTypeA
0x458204 GetStringTypeW
0x458208 GetCPInfo
0x45820c GetACP
0x458210 GetOEMCP
0x458214 SetFilePointer
0x458218 LCMapStringA
0x45821c LCMapStringW
0x458220 SetStdHandle
0x458224 FlushFileBuffers
0x458228 CloseHandle
EAT(Export Address Table) is none
KERNEL32.dll
0x458154 HeapAlloc
0x458158 GetProcessHeap
0x45815c VirtualAlloc
0x458160 VirtualProtect
0x458164 VirtualFree
0x458168 GetProcAddress
0x45816c LoadLibraryA
0x458170 IsBadReadPtr
0x458174 HeapFree
0x458178 FreeLibrary
0x45817c IsBadWritePtr
0x458180 HeapValidate
0x458184 GetModuleHandleA
0x458188 GetStartupInfoA
0x45818c GetCommandLineA
0x458190 GetVersion
0x458194 ExitProcess
0x458198 DebugBreak
0x45819c GetStdHandle
0x4581a0 WriteFile
0x4581a4 InterlockedDecrement
0x4581a8 OutputDebugStringA
0x4581ac InterlockedIncrement
0x4581b0 GetModuleFileNameA
0x4581b4 HeapReAlloc
0x4581b8 GetLastError
0x4581bc GetEnvironmentVariableA
0x4581c0 GetVersionExA
0x4581c4 HeapDestroy
0x4581c8 HeapCreate
0x4581cc TerminateProcess
0x4581d0 GetCurrentProcess
0x4581d4 UnhandledExceptionFilter
0x4581d8 FreeEnvironmentStringsA
0x4581dc FreeEnvironmentStringsW
0x4581e0 WideCharToMultiByte
0x4581e4 GetEnvironmentStrings
0x4581e8 GetEnvironmentStringsW
0x4581ec SetHandleCount
0x4581f0 GetFileType
0x4581f4 RtlUnwind
0x4581f8 SetConsoleCtrlHandler
0x4581fc MultiByteToWideChar
0x458200 GetStringTypeA
0x458204 GetStringTypeW
0x458208 GetCPInfo
0x45820c GetACP
0x458210 GetOEMCP
0x458214 SetFilePointer
0x458218 LCMapStringA
0x45821c LCMapStringW
0x458220 SetStdHandle
0x458224 FlushFileBuffers
0x458228 CloseHandle
EAT(Export Address Table) is none