MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 138a06e4181d214861ac8815473c946ffd9e39fd56ac08fa9e3e122a8b377744. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 138a06e4181d214861ac8815473c946ffd9e39fd56ac08fa9e3e122a8b377744
SHA3-384 hash: 195a1ee0cacbc3d4a7edb1cf40534b181b563deb1bc7e4748ae89a100679602c39144c0dbf4cae77ad6d393bb0833055
SHA1 hash: 2485624a0b5baa8b31cf0bd6a58c97f8801d1e89
MD5 hash: f72044c346514c01e42303b0461af269
humanhash: blossom-spaghetti-pip-blossom
File name:win32-chromesog.msi
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:72'581'632 bytes
First seen:2026-04-14 20:53:56 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:2uBnD/IqC/25jK4vz7cQHsncmTXuLVExV7pGmaHnIE0ae:2SnD/a/Ajxs4AV0mqY3
Threatray 117 similar samples on MalwareBazaar
TLSH T17DF73322B0CE8731E5AF90745976DB7991F23DD107B084DB53E4C87B4A3A6C20A76F62
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:CHN Gh0stRAT j6fadacai-com msi PurpleFox xiaoshihou37-top


Avatar
iamaachum
https://cn-kuailiam.top/ => https://baiduoss.oss-cn-hongkong.aliyuncs.com/win32-chromesog.zip

Gh0stRAT, PurpleFox C2:
43.248.172.30:56310
43.248.172.30:56311
j6fadacai.com
xiaoshihou37.top

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
ES ES
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/08621326-d523-4fe7-85f7-931fdf082646/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dea99ef68adfe10039dd8e
Tags:
virus shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 CAB cmd evasive expired-cert explorer fingerprint fingerprint fingerprint greyware installer keylogger lolbin lolbin overlay packed packed wix
Link:
https://www.filescan.io/uploads/69dea9885ea31bc68a2ad8b4/reports/af39c9db-3fe7-4c85-bf6c-ffc1ae08a57b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/138a06e4181d214861ac8815473c946ffd9e39fd56ac08fa9e3e122a8b377744
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/138a06e4181d214861ac8815473c946ffd9e39fd56ac08fa9e3e122a8b377744
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2026-04-14T18:00:00Z UTC
Last seen:
2026-04-16T04:44:00Z UTC
Hits:
~10
Detections:
Backdoor.Win32.Lotok.sbc Trojan.Win32.Zenpak.sb Trojan.Win32.Yakes Trojan.Win32.Shella.kz Trojan.Win32.Agentb.bxom Trojan-Dropper.Win32.Batut.sb HEUR:Backdoor.Win32.nimpl.a Backdoor.Win32.Gulpix.sb Backdoor.Win32.Farfli.sb Trojan-Spy.Win32.Agent.sb Trojan.Win32.Qhost.sb Trojan.Win32.Loader.rlh Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/138a06e4181d214861ac8815473c946ffd9e39fd56ac08fa9e3e122a8b377744/results?tab=lookup
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
62 / 100
Link:
https://www.joesandbox.com/analysis/1898342
Signature
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Drops executables to the windows directory (C:\Windows) and starts them
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1898342 Sample: win32-chromesog.msi Startdate: 14/04/2026 Architecture: WINDOWS Score: 62 92 xiaoshihou37.top 2->92 94 j6fadacai.com 2->94 96 4 other IPs or domains 2->96 108 Malicious sample detected (through community Yara rule) 2->108 110 Multi AV Scanner detection for dropped file 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 8 other signatures 2->114 11 msiexec.exe 83 39 2->11         started        15 msiexec.exe 14 2->15         started        17 datesk supe37.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 64 C:\Windows\Installer\MSI9BB4.tmp, PE32+ 11->64 dropped 66 C:\Windows\Installer\MSI7713.tmp, PE32 11->66 dropped 68 C:\Windows\Installer\MSI76A4.tmp, PE32 11->68 dropped 76 2 other malicious files 11->76 dropped 116 Drops executables to the windows directory (C:\Windows) and starts them 11->116 21 MSI9BB4.tmp 1 11->21         started        23 msiexec.exe 1 11->23         started        25 msiexec.exe 11->25         started        70 C:\Users\user\AppData\Local\...\MSI9C84.tmp, PE32 15->70 dropped 72 C:\Users\user\AppData\Local\...\MSI9C54.tmp, PE32 15->72 dropped 74 C:\Users\user\AppData\Local\...\MSI3C70.tmp, PE32 15->74 dropped 78 6 other malicious files 15->78 dropped signatures6 process7 process8 27 letsvpn-latest.exe 10 286 21->27         started        31 datesk supe37.exe 1 30 23->31         started        dnsIp9 80 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 27->80 dropped 82 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 27->82 dropped 84 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 27->84 dropped 90 216 other malicious files 27->90 dropped 118 Sample is not signed and drops a device driver 27->118 100 j6fadacai.com 43.248.172.30, 49696, 49718, 49721 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK Hong Kong 31->100 86 C:\ProgramData\MyFolder\datesk supe37.exe, PE32 31->86 dropped 88 C:\ProgramData\Microsoft Drive\Mark.sys, ASCII 31->88 dropped 120 Adds a directory exclusion to Windows Defender 31->120 34 cmd.exe 31->34         started        37 powershell.exe 2 23 31->37         started        39 powershell.exe 31->39         started        41 5 other processes 31->41 file10 signatures11 process12 signatures13 102 Uses ping.exe to sleep 34->102 104 Uses ping.exe to check the status of other devices and networks 34->104 43 PING.EXE 34->43         started        46 tasklist.exe 34->46         started        48 conhost.exe 34->48         started        58 22 other processes 34->58 106 Loading BitLocker PowerShell Module 37->106 50 conhost.exe 37->50         started        52 conhost.exe 39->52         started        54 conhost.exe 41->54         started        56 conhost.exe 41->56         started        60 3 other processes 41->60 process14 dnsIp15 98 127.0.0.1 unknown unknown 43->98 62 Conhost.exe 46->62         started        process16
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/138a06e4181d214861ac8815473c946ffd9e39fd56ac08fa9e3e122a8b377744
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Loader
Link:
https://tip.neiki.dev/file/138a06e4181d214861ac8815473c946ffd9e39fd56ac08fa9e3e122a8b377744
Threat name:
Win32.Trojan.Suschil
Create hunting rule
Status:
Malicious
First seen:
2026-04-11 15:45:50 UTC
File Type:
Binary (Archive)
Extracted files:
1644
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cofanzayduquqynmrakuopeun76z4op5k2war6u6hyjcvczxo5ca._file
Verdict:
malicious
Label(s):
hiddengh0st
Create hunting rule
fatalrat
Create hunting rule
Similar samples:
084239ba4742045424ecd68e60a1bef04d1e9f2d61ff10ff703026c4bb7e121c
Gh0stRAT
3c97e9b1ef1c2fbcd47898c8955080cc2b003254dee6835edb4cf9e675cc8a03
Gh0stRAT
524f4410012eaf96e6a64aaf4d5b014fa156f4ea31a5b1a6d6c99952d0eb63f8
Gh0stRAT
59943554ae244e65ddd1d720238fa47b8be3e341b7c02c436d08b6f03cb620e0
Gh0stRAT
9c41cf64df821725044e6ecfb11ab9c78dfbf4bb2376890a880562e18d5bf0ea
Gh0stRAT
error
Gh0stRAT
+ 107 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260414-zp8ttsbv5r/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Malware family:
HiddenGh0st
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/138a06e4181d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Microsoft Software Installer (MSI) msi 138a06e4181d214861ac8815473c946ffd9e39fd56ac08fa9e3e122a8b377744

(this sample)

Gh0stRAT

Executable exe 524f4410012eaf96e6a64aaf4d5b014fa156f4ea31a5b1a6d6c99952d0eb63f8

  
Link
https://tria.ge/260414-y4bxzaex3s/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 524f4410012eaf96e6a64aaf4d5b014fa156f4ea31a5b1a6d6c99952d0eb63f8
  
Dropping
MD5 5a1c8e1f47fda95c5ac9a7c7052400a7

Comments