MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55
SHA3-384 hash: e3f3e5593931ed86f7535e590a23e071f95f5268d7776bb5e59ad1a35839b55306a3516c3b018fa1e052790c99de7f21
SHA1 hash: b08440965f9d05ea9b85a7749dc293d6c090a084
MD5 hash: 3b9a79ed0ab4b6bb8973e625ea42cabb
humanhash: william-yankee-iowa-pluto
File name:3b9a79ed0ab4b6bb8973e625ea42cabb.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:11'720'441 bytes
First seen:2025-06-01 16:59:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (55 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep 196608:OsWQVJCX+SZhA7O40StbBmafQzBuXlIjwvT8Q3bHAcTo00jDt:OVOwX+SZhmD0SBcaWBMIjwo+bgKGDt
Threatray 130 similar samples on MalwareBazaar
TLSH T19FC6E113F28E742ED06B3E392A7793A1983B7A5039124C57A7EC394C8F3D5845E2A357
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe Gh0stRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Set-up.exe
Verdict:
Malicious activity
Analysis date:
2025-05-27 17:24:34 UTC
Tags:
delphi inno installer
Link:
https://app.any.run/tasks/155c2145-9ea7-4e36-9e3d-394c497b1a8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6706/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.76522758.30374.26039.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683c87a5acf88f5815eac6c3
Tags:
dropper spawn virus
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Adding an access-denied ACE
Launching a process
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer invalid-signature overlay overlay packed signed
Link:
https://www.filescan.io/uploads/683c86f1fd02ed5e059269cd/reports/72f56fdf-0a83-44d2-9ff7-7b7c4bb1cae6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ac030405-ec13-4834-af6b-3ad97f64c282
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1703434
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1703434 Sample: llZKhDJXoP.exe Startdate: 01/06/2025 Architecture: WINDOWS Score: 60 50 Multi AV Scanner detection for submitted file 2->50 11 llZKhDJXoP.exe 2 2->11         started        process3 file4 44 C:\Users\user\AppData\...\llZKhDJXoP.tmp, PE32 11->44 dropped 14 llZKhDJXoP.tmp 3 4 11->14         started        process5 file6 46 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->46 dropped 17 llZKhDJXoP.exe 2 14->17         started        process7 file8 34 C:\Users\user\AppData\...\llZKhDJXoP.tmp, PE32 17->34 dropped 20 llZKhDJXoP.tmp 5 37 17->20         started        process9 file10 36 C:\Users\user\...\OSArmorDevUI.exe (copy), PE32+ 20->36 dropped 38 C:\Users\user\...\mswebprjui.dll (copy), PE32 20->38 dropped 40 C:\Users\user\AppData\...\is-SORRL.tmp, PE32+ 20->40 dropped 42 62 other files (none is malicious) 20->42 dropped 23 OSArmorDevUI.exe 20->23         started        process11 signatures12 52 Hides threads from debuggers 23->52 54 Found direct / indirect Syscall (likely to bypass EDR) 23->54 26 OpenWith.exe 23->26         started        30 WerFault.exe 2 23->30         started        process13 dnsIp14 48 194.143.146.43, 443, 49696 BIGNET-ASUA Ukraine 26->48 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->56 32 WerFault.exe 2 26->32         started        signatures15 process16
Score:
32%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-25 23:57:58 UTC
File Type:
PE (Exe)
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dt6dwmvowzrwpqcuvqzzvxicwjeal6ikhufvhplbwrtq2dw7rjkq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
095b0a89ef2484e672af40ae72288ac65151d637351d9a1dcebbbf048138d46e
Gh0stRAT
0a5bb6b29e70f99c51cc97726ceab44771dca068cc5d56780c9abf71662bb287
Gh0stRAT
1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f
Gh0stRAT
6136c6fc5919bc7e677e087f3616830d25d993f366bd9bfbf5a1a28f1285a438
Gh0stRAT
64b5ab61bf52abbad72621534950c673c3a58589088ac471ce50795cf406eab9
Gh0stRAT
a2f1fa7763b8c5a8b4a79e63262f6b8bcdd7e019ac86bfc9b95f0422a874047d
Gh0stRAT
c865f24e4b9b0855b8b559fc3769239b0aa6e8d680406616a13d9a36fbbc2d30
Gh0stRAT
d9099dc0e0b217beca26b3d9074df946a34bd5cad3b6bba5e1473b5395de927b
Gh0stRAT
e607d8b4051f1d17c28d2bfdb9254e960ae08a8972b0ff445b46564ea9e59c33
Gh0stRAT
ea12cb7ea734f9f0bc3e2dd14b4e0bc713cbb15200cc44da2204c179807a9058
Gh0stRAT
error
Gh0stRAT
+ 120 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250601-vhlcqsznw5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks computer location settings
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cc51fbba-2f08-4671-af97-02bf406c8791
Unpacked files
SH256 hash:
1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55
MD5 hash:
3b9a79ed0ab4b6bb8973e625ea42cabb
SHA1 hash:
b08440965f9d05ea9b85a7749dc293d6c090a084
Link:
https://www.unpac.me/results/dbed8969-520d-4d7d-9dca-e6bfa41d3c4b/
SH256 hash:
d8d45a01c20fb8d37b97f4fba25c73c018dde4aee80720cd9bc239a05e5ba249
MD5 hash:
7b3a5d4e5350d925a3938a214894afc1
SHA1 hash:
ed458818c46d67bab80549316dc475407e33d2b5
Link:
https://www.unpac.me/results/dbed8969-520d-4d7d-9dca-e6bfa41d3c4b/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1cfc3b32aeb6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/6706/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments