MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 4d74a2df37d961af81255fc64ef1e49a5805bb1eec98513fbb93295fb8c482f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 11
| SHA256 hash: | 4d74a2df37d961af81255fc64ef1e49a5805bb1eec98513fbb93295fb8c482f2 |
|---|---|
| SHA3-384 hash: | 120260b799969528fbf2d8ab7a6f60c029e16b3c974ec3c3966dc78cd8d3b53e8f01ec6f2d8694f9184ea65d9bf51a31 |
| SHA1 hash: | 64195d7f824110c82521fd6103ebaea616e89b54 |
| MD5 hash: | bcc44ecaa70275f10a1e5d239767f3f8 |
| humanhash: | indigo-yankee-twelve-gee |
| File name: | RunningGhost_Setup.exe |
| Download: | download sample |
| File size: | 83'325'256 bytes |
| First seen: | 2026-07-05 06:23:35 UTC |
| Last seen: | Never |
| File type: | |
| MIME type: | application/x-dosexec |
| imphash | b34f154ec913d2d2c435cbd644e91687 (587 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer) |
| ssdeep | 1572864:6/WHHr90/uSk+8sNjnFcDcy8DVqBWm/wx7BLbiTkcE3tZc7:6/8L9EuSk+Z5qB5wx7B99Zc7 |
| TLSH | T10A083390E0FB34BDF41BDB761142CB95AA7C0E049706ADA34197BF67488A67B050DBCB |
| TrID | 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| dhash icon | 98e5676565a5a198 (20 x EpsilonStealer, 2 x NovaSentinel, 1 x LummaStealer) |
| Reporter | |
| Tags: | agent exe Psw stealer Wasp Stealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
148
Origin country :
AUVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_4d74a2df37d961af81255fc64ef1e49a5805bb1eec98513fbb93295fb8c482f2.exe
Verdict:
Malicious activity
Analysis date:
2026-07-05 06:32:52 UTC
Tags:
waspstealer stealer evasion uac-bypass ip-check nodejs
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Tags:
extens virus sage
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Searching for synchronization primitives
Loading a suspicious library
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
DNS request
Connection attempt
Sending a custom TCP request
Launching many processes
Launching the process to interact with network services
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 crypto expand expired-cert fingerprint hacktool installer installer installer-heuristic lolbin microsoft_visual_cc nsis packed reconnaissance
Verdict:
Suspicious
Labled as:
TR/Evo
Verdict:
Unknown
File Type:
Score:
88%
Verdict:
Malware
File Type:
PE
Gathering data
Verdict:
Susipicious
Threat name:
Win32.Infostealer.Tinba
Status:
Malicious
First seen:
2026-07-05 03:54:27 UTC
File Type:
PE (Exe)
Extracted files:
18285
AV detection:
12 of 36 (33.33%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
adware collection discovery execution persistence privilege_escalation ransomware spyware stealer
Behaviour
Checks processor information in registry
Detects videocard installed
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
Looks up external IP address via web service
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
exe 4d74a2df37d961af81255fc64ef1e49a5805bb1eec98513fbb93295fb8c482f2
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.