MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CastleRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3
SHA3-384 hash: f606f9b29493e7ead9fc8db333e85d8c5a44ec51256388d34c8cc5293aeec099740e49124a2d40e0d19b1258ddb901f6
SHA1 hash: a26f57ea00c04fab5be7ae7f9dbf29665878a355
MD5 hash: 0cf2b57111bc34574e9405aa9aacad58
humanhash: edward-london-orange-kilo
File name:second stage.ps1
Download: download sample
Signature CastleRAT
Create hunting rule
File size:1'393 bytes
First seen:2025-12-22 16:44:04 UTC
Last seen:2025-12-23 07:56:59 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24:hTTf2SWRef2bf23Jf2bf2UmGf2kKyVf2UcLNU3f2/ifwqf2U8xnQEif2IJ7EHMfL:hnflrfmfAfmfhPfxTfh93fIif5fh8xnS
Threatray 31 similar samples on MalwareBazaar
TLSH T12E21504E3879024C584023B3390C5ADF8639432EBA3902F0CB9B987A691D052B5FF78D
Magika powershell
Reporter ShadowOpCode
Tags:booking melasio-com miteamss-com partner-hotel-app ps1

Intelligence

File Origin
# of uploads :
2
# of downloads :
45
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69497561a6c88bb4cc23897c
Tags:
smarts keylog micro
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6949755ee126b9ff438cbbaa/reports/6e287aad-18fb-4d8c-9863-211983ee14d9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3
Verdict:
Malicious
File Type:
ps1
First seen:
2025-12-22T14:01:00Z UTC
Last seen:
2025-12-22T17:28:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.APosT.blvr
Link:
https://opentip.kaspersky.com/0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3
Verdict:
Malware
YARA:
1 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell
Link:
https://app.malva.re/file/0cf2b57111bc34574e9405aa9aacad58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3
Threat name:
Win32.Trojan.APost
Create hunting rule
Status:
Suspicious
First seen:
2025-12-22 16:44:16 UTC
File Type:
Text (PowerShell)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bwojebgkldkxu5wxko7u56feemlxx55zveuu4sn2udzqm6umxpjq._file
Verdict:
malicious
Label(s):
castlerat
Create hunting rule
Similar samples:
0b93b73e87318abccd24e44e2040bb0dc369c6cd0ac873f7977e40b17796bd82
CastleRAT
0fa8d2dce87fd3e27c2543c9dcf2931fdafd856ca4e14ee21531fb942dc3b36e
CastleRAT
41657910cd010c7e5ebbbfc11a2636fa1868a9bffe78d98b8faa7bd0e9c5c3b8
CastleRAT
c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919
CastleRAT
e779e7c5dfba028f616eb4efc98523561e194c0cbb99192a9dab535f9d7936a4
CastleRAT
error
CastleRAT
f58056af2ee8a026f77617845746947929b52140b4c7240bdfb985fcef6b6279
CastleRAT
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence spyware stealer
Link:
https://tria.ge/reports/251222-t81dxawndw/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Executes dropped EXE
Reads user/profile data of web browsers
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CastleRAT

PowerShell (PS) ps1 0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3

(this sample)

CastleRAT

Executable exe c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919

CastleRAT

zip 897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702

  
Dropping
SHA256 897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702
  
Dropping
MD5 3c28bcaf72e41f41edc6e19d8e39a3da

Comments