MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 4 File information Comments

SHA256 hash:	4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38
SHA3-384 hash:	4d8f4730dfd1c705cdea885e8c6a74a5c14399cd1eff5fe0fe9cdcdbca4d30083a817d9b0267794718fa17059fbbd638
SHA1 hash:	0b013ecb40ebc6610455c6fc73885cea0e5cc5bb
MD5 hash:	8744d1478283776211349df280352d4f
humanhash:	ink-mockingbird-crazy-oscar
File name:	8744D1478283776211349DF280352D4F.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	701'952 bytes
First seen:	2026-02-03 07:35:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	14f8e4dca31086cd0498de53fcba2af3 (2 x Gh0stRAT)
ssdeep	12288:TocL6cIGASS3xgLIcei8RTkNVlzDBEbouH5d2yeQRkTM9mQ:ccecIlTk9zVEbouH5dDXwGmQ
TLSH	T1CBE4F1E4BBCF62F8C8A3FE3E83259275536723E2E8113594D4394B9A6D13117CA190ED
TrID	35.7% (.EXE) Win32 Executable (generic) (4504/4/1) 16.4% (.EXE) Win16/32 Executable Delphi generic (2072/23) 16.0% (.EXE) OS/2 Executable (generic) (2029/13) 15.8% (.EXE) Generic Win/DOS Executable (2002/3) 15.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Gh0stRAT RAT

abuse_ch

Gh0stRAT C2:
123.173.105.71:4567

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
123.173.105.71:4567	https://threatfox.abuse.ch/ioc/1740688/

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38.exe

Verdict:

Malicious activity

Analysis date:

2026-02-03 07:37:39 UTC

Tags:

phishing

Link:

https://app.any.run/tasks/2170cea6-83b8-4ed4-a1e2-6823e49803b8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51422/

Detection(s):

MiscreantPunch.SingleXOR.EXE.162.UNOFFICIAL

Win.Trojan.Agent-1118751

PUA.Win.Packer.BorlandDelphiKo-3

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6981a5474cec271dd7055aac

Tags:

vmdetect delphi

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

DNS request

Connection attempt

Сreating synchronization primitives

Searching for the window

Creating a window

Sending a custom TCP request

Launching a service

Query of malicious DNS domain

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm anti-vm evasive exploit farfli fingerprint lethic obfuscated packed palevo xor-pe

Link:

https://www.filescan.io/uploads/6981a542d91d37abdd64c160/reports/bd264b8c-baff-4f25-8d5c-09c7a785c019/overview

Verdict:

Malicious

Labled as:

Trojan.Lethic.Generic

Link:

https://www.hybrid-analysis.com/sample/4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-22T21:47:00Z UTC

Last seen:

2026-01-22T23:19:00Z UTC

Hits:

~10

Detections:

PDM:Exploit.Win32.Generic Trojan-Spy.AntiAV.TCP.ServerRequest Backdoor.NetWiredRC.TCP.C&C Trojan.Win32.Dropik.sb Backdoor.Win32.WOC.sb HEUR:Trojan-Spy.Win64.AntiAV.gen HEUR:Trojan.Win32.Generic HEUR:Backdoor.Win32.Farfli.gen HEUR:Backdoor.Win32.Agent.gen

Link:

https://opentip.kaspersky.com/4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38/results?tab=lookup

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b14c5304-ffac-426e-a7df-cf2c0595eba7

Result

Threat name:

GhostRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1862198

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contain functionality to detect virtual machines

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Contains functionality to infect the boot sector

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GhostRat

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38/

Verdict:

Malicious

Threat:

Family.GH0STRAT

Link:

https://tip.neiki.dev/file/4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2026-01-22 21:29:14 UTC

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jjuwhgx4r6pvhrpbzi3de4vlun2axznnmkfevoad5r5yujhxlu4a._file

Verdict:

malicious

Label(s):

valleyrat

fatalrat

Similar samples:

error

Gh0stRAT

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/260203-jex2ksgw4f/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks computer location settings

Executes dropped EXE

Unpacked files

SH256 hash:

4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38

MD5 hash:

8744d1478283776211349df280352d4f

SHA1 hash:

0b013ecb40ebc6610455c6fc73885cea0e5cc5bb

Link:

https://www.unpac.me/results/2007dd7c-911f-4527-9fb9-6d7cae6efc97/

SH256 hash:

21b14e8513006c38ee6a58f3d13099f4d528b4e413aa7013fe86fd1715b20f29

MD5 hash:

a5292afbca58651f954b8bb0bc48af71

SHA1 hash:

f1d36d4550dcad23feb0782e2b28de8b49e29820

Link:

https://www.unpac.me/results/2007dd7c-911f-4527-9fb9-6d7cae6efc97/

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4a69639afc8f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farfli

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/4a69639afc8f9f53c5e1ca363272aba3740be5ad628a4ab803ec7b8a24f75d38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51422/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample