MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c0dbb4434505d5eb0d2c42bad90015b1580a9dbd973c3b5e8c2c1dcd018a2d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c0dbb4434505d5eb0d2c42bad90015b1580a9dbd973c3b5e8c2c1dcd018a2d8
SHA3-384 hash: c063c31de1de18b62611f413a9e613219ba1a21f0e3eae6d91e48cb9ca935732a08cb865eb8f60c120fd146e6f1d437f
SHA1 hash: 03685d1bac7cc2c01fb7ac1a05a1157321e21d21
MD5 hash: 2ce5d2231483279a461fdad29ad5030a
humanhash: michigan-vegan-eight-maryland
File name:kuakju.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:83'811'176 bytes
First seen:2025-05-02 18:14:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (56 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep 1572864:l5et63v4icFgx6pJYy6ZlOxo05zWnqZXbJbT+8h/KtMCJdbha4jg1Pj9CMrF/Ae:mudQzJR6ZlOu05zqYbJPREM2bF4F/Ae
TLSH T1EA08332A92CF2A3FF15F093B05A7D14685776A525B234CA796F88BACCF181901D2F707
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon c0c8d4cc64d4ccf4 (1 x Gh0stRAT)
Reporter GDHJDSYDH1
Tags:backdoor exe FakeApp gh0st Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
622
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kuakju.exe
Verdict:
Malicious activity
Analysis date:
2025-05-02 18:36:29 UTC
Tags:
themida phishing
Link:
https://app.any.run/tasks/af7a5636-5325-4eab-98f6-3a469cad0110

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68150f04d5cdbfe0eb685c48
Tags:
shellcode virus blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Creating a file
Moving a recently created file
Creating a process with a hidden window
Launching a service
Launching a process
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Enabling autorun for a service
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint installer overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/68150bb50b64e174c4151f0c/reports/a4b3484a-68e1-442e-87ae-42dadc2f4f21/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1c0dbb4434505d5eb0d2c42bad90015b1580a9dbd973c3b5e8c2c1dcd018a2d8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1680147
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1680147 Sample: kuakju.exe Startdate: 02/05/2025 Architecture: WINDOWS Score: 100 60 ht.asosshopmall.com 2->60 62 fyhutong.mlcrosoft.cyou 2->62 78 Suricata IDS alerts for network traffic 2->78 80 Antivirus detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 4 other signatures 2->84 10 kuakju.exe 2 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 file5 58 C:\Users\user\AppData\Local\...\kuakju.tmp, PE32 10->58 dropped 20 kuakju.tmp 5 26 10->20         started        23 conhost.exe 10->23         started        94 Changes security center settings (notifications, updates, antivirus, firewall) 13->94 25 MpCmdRun.exe 13->25         started        signatures6 process7 file8 50 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->50 dropped 52 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 20->52 dropped 54 C:\Users\Public\5c8ac3d5\xALTr\is-TKIGT.tmp, PE32+ 20->54 dropped 56 5 other malicious files 20->56 dropped 27 8UQlD.exe 1 20->27         started        30 conhost.exe 25->30         started        process9 signatures10 86 Query firmware table information (likely to detect VMs) 27->86 88 Writes to foreign memory regions 27->88 90 Allocates memory in foreign processes 27->90 92 4 other signatures 27->92 32 WmiApSrv.exe 27->32         started        35 powershell.exe 23 27->35         started        process11 signatures12 68 Uses schtasks.exe or at.exe to add and modify task schedules 32->68 70 Writes to foreign memory regions 32->70 72 Allocates memory in foreign processes 32->72 74 Injects a PE file into a foreign processes 32->74 37 sihost.exe 32->37 injected 40 svchost.exe 32->40 injected 42 svchost.exe 32->42 injected 48 2 other processes 32->48 76 Loading BitLocker PowerShell Module 35->76 44 conhost.exe 35->44         started        46 WmiPrvSE.exe 35->46         started        process13 dnsIp14 64 ht.asosshopmall.com 45.192.168.35, 45, 52939 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK Seychelles 37->64 66 192.168.2.1 unknown unknown 40->66
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1c0dbb4434505d5eb0d2c42bad90015b1580a9dbd973c3b5e8c2c1dcd018a2d8
Gathering data
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-02 15:29:34 UTC
File Type:
PE (Exe)
AV detection:
8 of 23 (34.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqg3wrbukbov5mgsyqv23eablmkybko33fz4hnpiyla5zuayulma._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery execution themida trojan
Link:
https://tria.ge/reports/250502-wv1hvser2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Themida packer
Command and Scripting Interpreter: PowerShell
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/159d45f1-1725-4194-88d9-55fce60c004e
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 1c0dbb4434505d5eb0d2c42bad90015b1580a9dbd973c3b5e8c2c1dcd018a2d8

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments