MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d74a2df37d961af81255fc64ef1e49a5805bb1eec98513fbb93295fb8c482f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments

SHA256 hash: 4d74a2df37d961af81255fc64ef1e49a5805bb1eec98513fbb93295fb8c482f2
SHA3-384 hash: 120260b799969528fbf2d8ab7a6f60c029e16b3c974ec3c3966dc78cd8d3b53e8f01ec6f2d8694f9184ea65d9bf51a31
SHA1 hash: 64195d7f824110c82521fd6103ebaea616e89b54
MD5 hash: bcc44ecaa70275f10a1e5d239767f3f8
humanhash: indigo-yankee-twelve-gee
File name:RunningGhost_Setup.exe
Download: download sample
File size:83'325'256 bytes
First seen:2026-07-05 06:23:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (587 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer)
ssdeep 1572864:6/WHHr90/uSk+8sNjnFcDcy8DVqBWm/wx7BLbiTkcE3tZc7:6/8L9EuSk+Z5qB5wx7B99Zc7
TLSH T10A083390E0FB34BDF41BDB761142CB95AA7C0E049706ADA34197BF67488A67B050DBCB
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 98e5676565a5a198 (20 x EpsilonStealer, 2 x NovaSentinel, 1 x LummaStealer)
Reporter Alex_sev
Tags:agent exe Psw stealer Wasp Stealer


Avatar
Alex_sev
https://running-ghosts.netlify.app/

Intelligence


File Origin
# of uploads :
1
# of downloads :
148
Origin country :
AU AU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_4d74a2df37d961af81255fc64ef1e49a5805bb1eec98513fbb93295fb8c482f2.exe
Verdict:
Malicious activity
Analysis date:
2026-07-05 06:32:52 UTC
Tags:
waspstealer stealer evasion uac-bypass ip-check nodejs

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Tags:
extens virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Searching for synchronization primitives
Loading a suspicious library
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
DNS request
Connection attempt
Sending a custom TCP request
Launching many processes
Launching the process to interact with network services
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 crypto expand expired-cert fingerprint hacktool installer installer installer-heuristic lolbin microsoft_visual_cc nsis packed reconnaissance
Gathering data
Threat name:
Win32.Infostealer.Tinba
Status:
Malicious
First seen:
2026-07-05 03:54:27 UTC
File Type:
PE (Exe)
Extracted files:
18285
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware collection discovery execution persistence privilege_escalation ransomware spyware stealer
Behaviour
Checks processor information in registry
Detects videocard installed
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates processes with tasklist
Looks up external IP address via web service
Clipboard Data
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4d74a2df37d961af81255fc64ef1e49a5805bb1eec98513fbb93295fb8c482f2

(this sample)

  
Delivery method
Distributed via web download

Comments