{
	"id": "692a317e-7e1c-4fc1-9bff-2746f8cd0830",
	"created_at": "2026-04-06T00:11:10.447223Z",
	"updated_at": "2026-04-10T03:22:01.035202Z",
	"deleted_at": null,
	"sha1_hash": "b49facd3aa055abb703c0f64b8a6ab0fdde08401",
	"title": "Malware-Traffic-Analysis.net - 2018-01-04 - PCRAT/Gh0st infection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1337658,
	"plain_text": "Malware-Traffic-Analysis.net - 2018-01-04 - PCRAT/Gh0st\r\ninfection\r\nArchived: 2026-04-05 15:27:40 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2018-01-04-PCRAT-Gh0st-traffic.pcap.zip   1.7 kB (1,681 bytes)\r\n2018-01-04-PCRAT-Gh0st-traffic.pcap   (5,009 bytes)\r\n2018-01-04-PCRAT-Gh0st-email-and-malware.zip   701.6 kB (701,577 bytes)\r\n2018-01-04-malspam-pushing-PCRAT-Gh0st-1813-UTC.eml   (256,098 bytes)\r\nRasTls.dat   (149,816 bytes)\r\nRasTls.dll   (45,056 bytes)\r\nRasTls.exe   (107,848 bytes)\r\nVery beautiful.exe   (393,216 bytes)\r\nVery beautiful.zip   (185,607 bytes)\r\nNOTES:\r\nThe zip attachment is password-protected with 123 as stated in the malspam.\r\nPost-infection activity triggered an EmergingThreats alert for PCRAT/Gh0st CnC traffic\r\nWEB TRAFFIC BLOCK LIST\r\nIndicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:\r\nwww.etybh[.]com\r\nEMAIL\r\nhttp://www.malware-traffic-analysis.net/2018/01/04/index.html\r\nPage 1 of 6\n\nShown above:  Screenshot of the email.\r\nEMAIL INFORMATION:\r\nDate:  Wednesday, 2018-01-03 at 18:13 UTC\r\nSubject:  Very beautiful\r\nFrom:  howie9ball@aol[.]com\r\nTo:  [a very long list of recipients]\r\nMessage-Id:  \u003c160bd3a471c-171d-2842@webjas-vac003.srv.aolmail.net\u003e\r\nAttachment name:  Very beautiful.zip\r\nhttp://www.malware-traffic-analysis.net/2018/01/04/index.html\r\nPage 2 of 6\n\nShown above:  Malware extracted from the zip attachment.\r\nTRAFFIC\r\nShown above:  Infection traffic filtered in Wireshark.\r\nhttp://www.malware-traffic-analysis.net/2018/01/04/index.html\r\nPage 3 of 6\n\nASSOCIATED TRAFFIC:\r\n98.126.223[.]218 port 900 - www.etybh[.]com - PCRAT/Gh0st CnC traffic\r\nMALWARE\r\nZIP ARCHIVE FROM THE MALSPAM:\r\nSHA256 hash:  067d5729b4787fc667c061b027625be4273806c64beacfb6877fc7f182f9ed37\r\nFile size:  185,607 bytes\r\nFile name:  Very beautiful.zip\r\nMALICIOUS EXECUTABLE EXTRACTED FROM THE ZIP ARCHIVE:\r\nSHA256 hash:  423f4c1f9ba4f184ff6e82db4f01420feb7b76693bdece6402fc2157c0c2f946\r\nFile size:  393,216 bytes\r\nFile name:  Very beautiful.exe\r\nEXECUTABLE FROM THE INFECTED WINDOWS HOST:\r\nSHA256 hash:  f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68\r\nFile size:  107,848 bytes\r\nFile location:  C:\\Microsoft\\TEMP\\Networks\\Connections\\Sementech\\sementech\\RasTls.exe\r\nNOTE:  This is apparently a legitimate file abused by various Trojans for DLL side-loading.\r\nDLL FROM THE INFECTED WINDOWS HOST:\r\nSHA256 hash:  a392f8f96ffc53978b177d844ef17adb09c6329997f29334e5c2029e8f5f18e8\r\nFile size:  45,056 bytes\r\nFile location:  C:\\Microsoft\\TEMP\\Networks\\Connections\\Sementech\\sementech\\RasTls.dll\r\nWINDOWS REGISTRY ENTRY FOR PERSISTENCE:\r\nRegistry Key:  HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\r\nValue name:  Load\r\nValue Type:  REG_SZ\r\nValue Data:  cmd /c C:\\Microsoft\\TEMP\\Networks\\Connections\\Sementech\\sementech\\RasTls.exe\r\nIMAGES\r\nhttp://www.malware-traffic-analysis.net/2018/01/04/index.html\r\nPage 4 of 6\n\nShown above:  TCP stream from the post-infection traffic.\r\nShown above:  Alert from Sguil on the post-infection traffic in Security Onion using Suricata and the\r\nEmergingThreats ruleset.\r\nShown above:  Registry key and associated files on the infected Windows host\r\nhttp://www.malware-traffic-analysis.net/2018/01/04/index.html\r\nPage 5 of 6\n\nShown above:  Apparently, a legitimate file abused by various malware families for DLL side-loading.\r\nClick here to return to the main page.\r\nSource: http://www.malware-traffic-analysis.net/2018/01/04/index.html\r\nhttp://www.malware-traffic-analysis.net/2018/01/04/index.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"http://www.malware-traffic-analysis.net/2018/01/04/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434270,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b49facd3aa055abb703c0f64b8a6ab0fdde08401.pdf",
		"text": "https://archive.orkl.eu/b49facd3aa055abb703c0f64b8a6ab0fdde08401.txt",
		"img": "https://archive.orkl.eu/b49facd3aa055abb703c0f64b8a6ab0fdde08401.jpg"
	}
}