MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a37834a9bee62cc7cd4f203343bcc6d6bb986ecf15a00f1b3ac2bea5ff2bff5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a37834a9bee62cc7cd4f203343bcc6d6bb986ecf15a00f1b3ac2bea5ff2bff5
SHA3-384 hash: 91ee9e4a5268010b9ba876e6cbcf06a740a7d9aba2df2392678cdfe6378f5231c77593a1477e672a97b673b13b377233
SHA1 hash: c3d51630538ffb8eeb67e33edf97570c197a5c66
MD5 hash: ad3098132cccf9e450d988037cbf1010
humanhash: magazine-winter-twelve-echo
File name:MSTseg-Teuener-x6.4.msi
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:55'117'824 bytes
First seen:2026-03-18 22:25:27 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:QxssCWZ+gIlkc4qfqRNQTFtyFYx/TcDrpds:QqO+gIlE4qRNQ5tyFK0pds
Threatray 57 similar samples on MalwareBazaar
TLSH T19AC73321759EC232F66F05B19A29DA2EE13C7CE2077044EB93E4F95A6A314C25335F93
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:CHN gcsoon-com Gh0stRAT msi


Avatar
iamaachum
https://www.teams-free.com/download.html => https://facaishunli1.oss-cn-hongkong.aliyuncs.com/MSTseg-Teuener-x6.4.rar

IOCs:
www.gcsoon.com
45.202.1.71

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
ES ES
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/14700485-5016-4618-8069-62757121e431/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bb267593b644ca466b8019
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm anti-vm base64 CAB cmd evasive expired-cert expired-cert fingerprint fingerprint installer keylogger lolbin msiexec packed runonce short-lived-cert update wix
Link:
https://www.filescan.io/uploads/69bb2683493cb7d62d05529c/reports/cf8aef1f-31a6-490e-8db3-a1c3d1b59dad/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5a37834a9bee62cc7cd4f203343bcc6d6bb986ecf15a00f1b3ac2bea5ff2bff5
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5a37834a9bee62cc7cd4f203343bcc6d6bb986ecf15a00f1b3ac2bea5ff2bff5
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
Detections:
Trojan.Win32.Waldek.sb
Link:
https://opentip.kaspersky.com/5a37834a9bee62cc7cd4f203343bcc6d6bb986ecf15a00f1b3ac2bea5ff2bff5/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
58 / 100
Link:
https://www.joesandbox.com/analysis/1886064
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886064 Sample: MSTseg-Teuener-x6.4.msi Startdate: 18/03/2026 Architecture: WINDOWS Score: 58 109 www.gcsoon.com 2->109 111 teams.live.com 2->111 113 2 other IPs or domains 2->113 131 Suricata IDS alerts for network traffic 2->131 133 Multi AV Scanner detection for dropped file 2->133 135 Multi AV Scanner detection for submitted file 2->135 137 6 other signatures 2->137 13 msiexec.exe 81 37 2->13         started        17 msiexec.exe 24 2->17         started        19 svchost.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 file5 91 C:\Windows\Installer\MSIBE23.tmp, PE32+ 13->91 dropped 93 C:\Windows\Installer\MSIA5B7.tmp, PE32 13->93 dropped 95 C:\Windows\Installer\MSIA549.tmp, PE32 13->95 dropped 105 5 other malicious files 13->105 dropped 149 Drops executables to the windows directory (C:\Windows) and starts them 13->149 23 msiexec.exe 2 13->23         started        26 MSIBE23.tmp 1 13->26         started        28 msiexec.exe 13->28         started        97 C:\Users\user\AppData\Local\...\MSICBEB.tmp, PE32 17->97 dropped 99 C:\Users\user\AppData\Local\...\MSICB8C.tmp, PE32 17->99 dropped 101 C:\Users\user\AppData\Local\...\MSIC179.tmp, PE32 17->101 dropped 107 16 other malicious files 17->107 dropped 151 Unusual module load detection (module proxying) 19->151 103 C:\Users\user\AppData\Local\...\Update.exe, PE32 21->103 dropped 30 Update.exe 17 5 21->30         started        signatures6 process7 dnsIp8 89 C:\Users\user\AppData\Local\Temp\viewer.exe, PE32 23->89 dropped 33 II-3.exe 2 23->33         started        36 MSTeamsSetup.exe 26->36         started        119 s-0005.s-msedge.net 52.113.194.132, 443, 49697 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->119 file9 process10 file11 79 C:\Users\user\AppData\Local\Temp\...\II-3.tmp, PE32 33->79 dropped 38 II-3.tmp 33->38         started        process12 file13 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 38->81 dropped 83 C:\Program Files (x86)\qsAoU\...\is-VHD16.tmp, PE32+ 38->83 dropped 85 C:\Program Files (x86)\qsAoU\...\is-DL17S.tmp, PE32+ 38->85 dropped 87 2 other malicious files 38->87 dropped 41 4o7G3E.exe 38->41         started        44 powershell.exe 38->44         started        46 powershell.exe 38->46         started        process14 signatures15 139 Adds a directory exclusion to Windows Defender 41->139 141 Maps a DLL or memory area into another process 41->141 143 Found direct / indirect Syscall (likely to bypass EDR) 41->143 48 elevation_service.exe 41->48         started        51 powershell.exe 41->51         started        53 elevation_service.exe 41->53         started        145 Loading BitLocker PowerShell Module 44->145 55 conhost.exe 44->55         started        57 conhost.exe 46->57         started        process16 signatures17 121 Creates an undocumented autostart registry key 48->121 123 Writes to foreign memory regions 48->123 125 Allocates memory in foreign processes 48->125 127 Maps a DLL or memory area into another process 48->127 59 sihost.exe 48->59 injected 63 cmd.exe 48->63         started        65 svchost.exe 48->65 injected 69 4 other processes 48->69 129 Loading BitLocker PowerShell Module 51->129 67 conhost.exe 51->67         started        process18 dnsIp19 115 www.gcsoon.com 45.202.1.71, 45, 65077, 65081 ONL-HKOCEANNETWORKLIMITEDHK Seychelles 59->115 147 Unusual module load detection (module proxying) 59->147 71 conhost.exe 63->71         started        73 icacls.exe 63->73         started        75 icacls.exe 63->75         started        117 192.168.2.1 unknown unknown 65->117 77 conhost.exe 69->77         started        signatures20 process21
Score:
66%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/5a37834a9bee62cc7cd4f203343bcc6d6bb986ecf15a00f1b3ac2bea5ff2bff5
Gathering data
Verdict:
Clean
Link:
https://tip.neiki.dev/file/5a37834a9bee62cc7cd4f203343bcc6d6bb986ecf15a00f1b3ac2bea5ff2bff5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=li3ygsu35zrmy7gu6ibtio6mnvv3tbxm6fnab4ntvqv6ux7sx72q._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
1c38dde07bc7b0367f7bc0386d7f3e2b1114eb70e83f7224efc0b2b2aac09eee
Gh0stRAT
2449d6e42c32e2979fd05458312e94a4b1bf3d3b42471576178f3169bb516e37
Gh0stRAT
27dcf8074222d26e70375fb77f44463a81232c44513c5b58bfe3be5a9694c79d
Gh0stRAT
3bf9b5d24eabf0a7ff18b9eaca4530615c782b20c07f287032a10fe90b532683
Gh0stRAT
78d7ba162fcae42e2049fd539c981f0fc0dc480598fed50fde2901dd16819df3
Gh0stRAT
b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da
Gh0stRAT
b64f52ee31323774fa3ce8a78f33706f870289629235b914c477d991a054fa2c
Gh0stRAT
error
Gh0stRAT
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260318-2ckycaew6m/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Microsoft Software Installer (MSI) msi 5a37834a9bee62cc7cd4f203343bcc6d6bb986ecf15a00f1b3ac2bea5ff2bff5

(this sample)

anyrun
any.run
https://app.any.run/tasks/f3f8c503-9b76-4e06-a569-d1e0e627209f
  
Delivery method
Distributed via web download

Comments