MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41a10c3abe7aa5a4993f9114ddd409ae50f361917826b7f3d8bd91109d91cc89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41a10c3abe7aa5a4993f9114ddd409ae50f361917826b7f3d8bd91109d91cc89
SHA3-384 hash: cbfc90b41f087717e4c4d4b5609bf9ae72bc9b09b812756fb23ad4e2aa6672a4cf40559836ae67f787c6c74a1668da05
SHA1 hash: 9184cb0ccfb6030525cbc93784fae94d0f90fad8
MD5 hash: fbd96b45de900a8d4f8725ed581e7d60
humanhash: beer-mississippi-floor-pasta
File name:DeepL2.27A-4995.msi
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:20'993'536 bytes
First seen:2026-02-28 20:00:31 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:1tTIpYu/3cM31KS6ckRN95Ki9HMW/F04166MFvyI0:1VGt31KSvkp5/V+b65
TLSH T1D5273322B6CBC536D51E0177EA68FE1D0178BEB3473101E7B7F4B9AA84B48C29675702
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:Gh0stRAT msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/6d95f4b0-41ed-4bf6-b99f-959813e6cc4f/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55037/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a349a3c950ab5d9ab29967
Tags:
n/a
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/41a10c3abe7aa5a4993f9114ddd409ae50f361917826b7f3d8bd91109d91cc89
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/41a10c3abe7aa5a4993f9114ddd409ae50f361917826b7f3d8bd91109d91cc89
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Clean
File Type:
msi
Link:
https://opentip.kaspersky.com/41a10c3abe7aa5a4993f9114ddd409ae50f361917826b7f3d8bd91109d91cc89/results?tab=lookup
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/1876416
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Installs Task Scheduler Managed Wrapper
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876416 Sample: DeepL2.27A-4995.msi Startdate: 28/02/2026 Architecture: WINDOWS Score: 34 94 appdownload.deepl.com 2->94 98 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->98 100 Sigma detected: Execution from Suspicious Folder 2->100 10 DeepLSetup.exe 22 282 2->10         started        15 VC_radist.x64.exe 2 2->15         started        17 msiexec.exe 14 44 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 96 appdownload.deepl.com 172.64.151.134, 443, 49715, 49721 CLOUDFLARENETUS United States 10->96 76 C:\Users\user\AppData\Roaming\...\DeepL.exe, PE32 10->76 dropped 78 C:\Users\user\AppData\...\auto-start.exe, PE32 10->78 dropped 80 C:\Users\user\...\ZeroInstall.resources.dll, PE32 10->80 dropped 90 222 other malicious files 10->90 dropped 106 Installs Task Scheduler Managed Wrapper 10->106 21 0install-win.exe 16 268 10->21         started        24 0install-win.exe 10->24         started        82 C:\Users\user\AppData\...\VC_radist.x64.tmp, PE32 15->82 dropped 108 Adds a directory exclusion to Windows Defender 15->108 26 VC_radist.x64.tmp 20 15->26         started        28 powershell.exe 15->28         started        84 C:\Windows\Installer\MSIAC01.tmp, PE32 17->84 dropped 86 C:\Windows\Installer\MSIABE1.tmp, PE32 17->86 dropped 88 C:\Windows\Installer\MSIA595.tmp, PE32 17->88 dropped 92 6 other malicious files 17->92 dropped 110 Drops executables to the windows directory (C:\Windows) and starts them 17->110 31 msiexec.exe 17->31         started        33 MSIABE1.tmp 17->33         started        35 MSIAC01.tmp 17->35         started        37 0install-win.exe 19->37         started        file6 signatures7 process8 file9 56 ZeroInstall.resour...ll.n42jhobb.rmh.tmp, PE32 21->56 dropped 58 C:\Users\...\ZeroInstall.resources.dll (copy), PE32 21->58 dropped 60 ZeroInstall.Store....ll.ranuqfvf.pom.tmp, PE32 21->60 dropped 68 443 other malicious files 21->68 dropped 39 0install-win.exe 21->39         started        62 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->62 dropped 64 C:\Users\Public\...\wPmEo.Gx4 (copy), PE32+ 26->64 dropped 66 C:\Users\Public\Documents\...\is-US5H2.tmp, PE32+ 26->66 dropped 70 2 other malicious files 26->70 dropped 42 ORwkDMOTC3Zw.exe 26->42         started        112 Loading BitLocker PowerShell Module 28->112 45 conhost.exe 28->45         started        47 WmiPrvSE.exe 28->47         started        signatures10 process11 file12 72 C:\Users\user\...\temp.0haawlrj.2nj.DeepL.exe, PE32 39->72 dropped 74 C:\Users\user\AppData\...\DeepL.exe (copy), PE32 39->74 dropped 104 Tries to detect virtualization through RDTSC time measurements 42->104 49 msconfig.exe 42->49         started        51 fsquirt.exe 42->51         started        signatures13 process14 process15 53 ORwkDMOTC3Zw.exe 49->53         started        signatures16 102 Adds a directory exclusion to Windows Defender 53->102
Score:
57%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/41a10c3abe7aa5a4993f9114ddd409ae50f361917826b7f3d8bd91109d91cc89
Gathering data
Gathering data
Verdict:
Malicious
Threat:
Family.GH0ST
Link:
https://tip.neiki.dev/file/41a10c3abe7aa5a4993f9114ddd409ae50f361917826b7f3d8bd91109d91cc89
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-02-27 18:12:57 UTC
File Type:
Binary (Archive)
Extracted files:
118
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igqqyov6pks2jgj7sekn3vajvzipgymrpatlp46yxwirbhmrzseq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution installer persistence privilege_escalation
Link:
https://tria.ge/reports/260228-yrtl9aey6c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Access Token Manipulation: Create Process with Token
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41a10c3abe7aa5a4993f9114ddd409ae50f361917826b7f3d8bd91109d91cc89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/55037/

Comments