MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a779929ccf4a51d0268fce9c7b44143d7fb4690811939c6c1913cdefc38a813. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GOBackdoor


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a779929ccf4a51d0268fce9c7b44143d7fb4690811939c6c1913cdefc38a813
SHA3-384 hash: f1509578dc12f4f5d049f3e65418c1a7e0bda06257ddddb2a14ab4a6dc77c547a6f277f948e4ed2dbdbb57ee9cab26e5
SHA1 hash: f6f5861541d6f60035d7b9ff90ffd15fdf291eda
MD5 hash: f83cdfcb28975a20ca72984a8af5d897
humanhash: august-autumn-nitrogen-sodium
File name:888.exe
Download: download sample
Signature GOBackdoor
Create hunting rule
File size:11'531'776 bytes
First seen:2025-04-19 11:21:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 326fd86b0f25d245881dc7a4ad1098db (2 x GOBackdoor)
ssdeep 98304:41LKDsv7pcnvAprc3M9l6iU4gKFAQ36pVx80u:M2Dsv76nvApIM9oiRgKFA3+
Threatray 24 similar samples on MalwareBazaar
TLSH T1F9C619BC23D5C3C5E49B69FB4E6A23C2797C27751387CACB81A846B45FA0ED48530963
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 70f4c4e4e8d4f468 (1 x GOBackdoor)
Reporter abuse_ch
Tags:exe GOBackdoor

Intelligence

File Origin
# of uploads :
1
# of downloads :
573
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
888.exe
Verdict:
No threats detected
Analysis date:
2025-04-19 11:35:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/669414ab-3a94-4701-9130-98ed17ad4506

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2990/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.5254.31476.10145.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68038758280f5f89a0d1fb01
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc virtual
Link:
https://www.filescan.io/uploads/68038743b13d3e2cb277fb41/reports/4d3fa134-8ef4-4db6-b55c-7cac5c7ecd35/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/4a779929ccf4a51d0268fce9c7b44143d7fb4690811939c6c1913cdefc38a813
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/28a523a5-a462-4783-9f3b-8474ff1fcfaa
Result
Threat name:
GO Backdoor
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1669139
Signature
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Yara detected GO Backdoor
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669139 Sample: 888.exe Startdate: 19/04/2025 Architecture: WINDOWS Score: 72 28 pki-goog.l.google.com 2->28 30 c.pki.goog 2->30 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected GO Backdoor 2->46 48 Joe Sandbox ML detected suspicious sample 2->48 8 888.exe 2->8         started        12 888.exe 1 2->12         started        14 888.exe 2->14         started        signatures3 process4 dnsIp5 32 194.28.226.181, 443, 49701, 49707 SYSTEM-LTD-ASRU Russian Federation 8->32 34 91.212.166.19, 443, 49702, 49708 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 8->34 40 3 other IPs or domains 8->40 50 Suspicious powershell command line found 8->50 16 powershell.exe 8->16         started        36 212.34.130.72, 28280, 49696 RAN-NETWORKSES Spain 12->36 38 46.8.236.61, 443, 49695, 49697 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 12->38 18 powershell.exe 1 11 12->18         started        20 powershell.exe 14->20         started        signatures6 process7 process8 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4a779929ccf4a51d0268fce9c7b44143d7fb4690811939c6c1913cdefc38a813
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a779929ccf4a51d0268fce9c7b44143d7fb4690811939c6c1913cdefc38a813/
Threat name:
Win32.Trojan.Ghostsocks
Create hunting rule
Status:
Malicious
First seen:
2025-04-19 01:27:19 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jj3zskom6ssr2ati7tu4pncbipl7wruqqemttrwbse6n57byvajq._file
Verdict:
malicious
Label(s):
ghostsocks
Create hunting rule
Similar samples:
4a779929ccf4a51d0268fce9c7b44143d7fb4690811939c6c1913cdefc38a813
GOBackdoor
854d5ac4352c653dbb566a39de26f260181a666c01dc8f26347585bcd129a99d
GOBackdoor
89839bba21e3aa810183a943dd0da81011314cb75e6401e0797ee7710953fe6c
GOBackdoor
90b3a30668871e1af9a1b449466589aa7f1096c7ec4a016394565d7d156f4451
GOBackdoor
93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89
GOBackdoor
c67e82a5d7614d4ab31781c392d91de7ed5dc8fa5751c2db8c8cf7382954f13f
GOBackdoor
d460044a5b2f4c50ef44ed82d6e52734e296cbc7bbbdfd7eab10e785e49807cf
GOBackdoor
error
GOBackdoor
f3584fb954571db60dddaad92fc8cd0f52446ab3d136d4f6e8aba63aa6bdb2f1
GOBackdoor
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250419-nga22st1bt/
Behaviour
Program crash
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/26575fdb-e11f-4909-96d4-77dc26f4e79e
Unpacked files
SH256 hash:
4a779929ccf4a51d0268fce9c7b44143d7fb4690811939c6c1913cdefc38a813
MD5 hash:
f83cdfcb28975a20ca72984a8af5d897
SHA1 hash:
f6f5861541d6f60035d7b9ff90ffd15fdf291eda
Link:
https://www.unpac.me/results/119b3b2d-5134-4fb3-99f8-5efc2dfda0d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a779929ccf4a51d0268fce9c7b44143d7fb4690811939c6c1913cdefc38a813

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GOBackdoor

Executable exe 4a779929ccf4a51d0268fce9c7b44143d7fb4690811939c6c1913cdefc38a813

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3481114/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/2990/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments