MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 25e9a59bf9a9c9d4cb8861c23570eb7b62aaa2ff23c3fe6dd4f5c44351a60b7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Gh0stRAT
Vendor detections: 14
| SHA256 hash: | 25e9a59bf9a9c9d4cb8861c23570eb7b62aaa2ff23c3fe6dd4f5c44351a60b7e |
|---|---|
| SHA3-384 hash: | 9ac730255a62e669132a8f04c49ceff9e876c8b66a0bee4bbda886b3433dcd35e1e128596b9e93689a26f68bb2c75625 |
| SHA1 hash: | df7076c7723a79271fec61d63ff5c4a7fc26d888 |
| MD5 hash: | 4e0825cd3d96a1e239c8a735ab42ead9 |
| humanhash: | salami-double-undress-ceiling |
| File name: | 25e9a59bf9a9c9d4cb8861c23570eb7b62aaa2ff23c3fe6dd4f5c44351a60b7e |
| Download: | download sample |
| Signature | Gh0stRAT |
| File size: | 3'887'980 bytes |
| First seen: | 2025-09-01 13:08:28 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger) |
| ssdeep | 49152:ac8mkmaUwpIpmKCrJ1NqbYQPHW17PI0wDN/InN1wdWacXyFe0YT2Lyi3mvCHdZwL:skd+J1NAYQPWtS4wtcCtYTLCE1NK8b |
| Threatray | 1'255 similar samples on MalwareBazaar |
| TLSH | T1400612C9D15DAA24FA982C7B3D25766BA39238131749600DBE9F3DA777030B44E64FB0 |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| Reporter |  JAMESWT_WT |
| Tags: | exe Gh0stRAT Orziveccho |
Intelligence
File Origin
# of uploads :
1
# of downloads :
320
Origin country :
ITVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25e9a59bf9a9c9d4cb8861c23570eb7b62aaa2ff23c3fe6dd4f5c44351a60b7e
Verdict:
Suspicious activity
Analysis date:
2025-09-01 13:11:41 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Verdict:
Malicious
Score:
95.7%
Tags:
shellcode injection virus
Result
Verdict:
Clean
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc obfuscated overlay packed packer_detected
Verdict:
Malicious
Labled as:
TrojanDldr.Agent.gen
Verdict:
Malicious
File Type:
exe x32
First seen:
2018-09-05T01:12:00Z UTC
Last seen:
2018-09-05T01:12:00Z UTC
Hits:
~10
Malware family:
BypassUAC
Verdict:
Malicious
Score:
95%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2018-09-02 19:50:44 UTC
File Type:
PE (Exe)
Extracted files:
558
AV detection:
13 of 38 (34.21%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
suspicious
Label(s):
unc_loader_051
Similar samples:
+ 1'245 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
7/10
Tags:
discovery installer persistence privilege_escalation upx
Behaviour
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
1395d5d1533b0384f5689ae78ea916f86eb2124f50d5bee65ce49094c9c064af
MD5 hash:
5f54972c617f7a0519005e2548e7fe90
SHA1 hash:
9c2a7596f8e198fd9ee659a09e051ab9c47c7ff0
SH256 hash:
13bc560e57465d1ce837fe1b858c84247a05083e47ffc7b78794f09fd5229e80
MD5 hash:
06ea6592d8645e5a3063d8dac940bd3a
SHA1 hash:
5f796c37f5fac61cae16a00620846ebf956d50d3
SH256 hash:
909688713cc07c36a0b0f3503c8bd8e6d1a95eac22891351a99b43fdc091595b
MD5 hash:
9ff06768a3770ea2a6ff229aa4070b9b
SHA1 hash:
bfbabd917eb85d4fc865ca7e9a0ff91d97ee4044
SH256 hash:
c0e85279554c7694a05c028b01257700d5b6e101b3edda54e56b81bb39ecce26
MD5 hash:
bc0c67b6d7a508e5a39db5ad0bbb86fd
SHA1 hash:
b620153127dc482fab3f58b7ad9ebc3eab5d0d11
SH256 hash:
79293ef565376ad05ac1dc574f5ad6c1eb5ee0c98a940c3a354e919e143ed36f
MD5 hash:
60419a9e348196a22652b6692237cd71
SHA1 hash:
335568803a05b002b0d15b149d0c3707b566d449
SH256 hash:
3cd9a9e2382db17401c8dc0ce95866182a2863588e10a2987bfe266c3ca33f3d
MD5 hash:
a3a970eb00b7070f258d0ec0c13776fc
SHA1 hash:
8eee6bb15951ada63fce8e9da0923196f7a38025
SH256 hash:
4ed70ecbe4e25adf272b25b2280ba6d850085051fef45477f1a5b0ed252731f2
MD5 hash:
aa975ee07df372c8ab311d5acbfd15bc
SHA1 hash:
bf36f43b5b965238ea9165c42a0cd9873ca91dae
SH256 hash:
2a10015dad39d7cd58bb9116860db0f78a1e43d821869870b1b28d196ac41253
MD5 hash:
7929eebf61c480b96ba08931e32b8d56
SHA1 hash:
c1e7fdb477f226bfd0ae4988cbf7e2fc8f85b017
SH256 hash:
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
MD5 hash:
b8992e497d57001ddf100f9c397fcef5
SHA1 hash:
e26ddf101a2ec5027975d2909306457c6f61cfbd
SH256 hash:
3cf397e765f2253a1b1b56e334f5d1663a68053340d5dd711bd78c658aa50776
MD5 hash:
fd00da521f916aebd5bd3aefb3a33e5b
SHA1 hash:
115880f01d5f9297fe6fc41be9b9ee4348733d2e
SH256 hash:
1e691323a9e29d833d18de719fd4d29838a3066951d1d3e3667d8fd4cc206397
MD5 hash:
46a8965ca35af6099ce68ebdf59dc562
SHA1 hash:
688228ab026723d81f719a878b60bfdfecda79a6
Detections:
Codoso_Gh0st_1
SH256 hash:
25e9a59bf9a9c9d4cb8861c23570eb7b62aaa2ff23c3fe6dd4f5c44351a60b7e
MD5 hash:
4e0825cd3d96a1e239c8a735ab42ead9
SHA1 hash:
df7076c7723a79271fec61d63ff5c4a7fc26d888
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | botnet_plaintext_c2 |
|---|---|
| Author: | cip |
| Description: | Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols. |
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | Detect_SliverFox_String |
|---|---|
| Author: | huoji |
| Description: | Detect files is `SliverFox` malware |
| Rule name: | FreddyBearDropper |
|---|---|
| Author: | Dwarozh Hoshiar |
| Description: | Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. |
| Rule name: | Ins_NSIS_Buer_Nov_2020_1 |
|---|---|
| Author: | Arkbird_SOLG |
| Description: | Detect NSIS installer used for Buer loader |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.