MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75a5384d05ffc4e0e4deb4c55e0bc09d9edf32a346e4bc95716aa853eadc0d59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75a5384d05ffc4e0e4deb4c55e0bc09d9edf32a346e4bc95716aa853eadc0d59
SHA3-384 hash: b1a4acb1283181f4fcb5fd7654aa7ace8bfe10a03c65eead58223abb3a54b3020a41412f132abacca76252c200c5984e
SHA1 hash: 5074b5d97fb42fe9ca70c723065228ecfef3bf86
MD5 hash: 79171156a0c53de208bfed225a48cd3e
humanhash: lithium-fifteen-hawaii-mango
File name:5a5175.msi
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:27'923'456 bytes
First seen:2026-03-20 15:31:29 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:cCm2UoHad51O0rf5cqm/4gOgaDdMitigFHPkNqI+NdipEi:cCmPdL5feax77cNqvbi
TLSH T1CB573315B6CBC132E52E0177E968FE2E05B9BD73073045D7B7E479AE84B88C19274782
TrID 77.3% (.MSI) Microsoft Windows Installer (454500/1/170)
10.3% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.5% (.MSP) Windows Installer Patch (44509/10/5)
3.3% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
1.3% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:Gh0stRAT msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/fb1aae2f-87c9-4bfc-8c96-0b546c7c5bab/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58334/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bd688e93b644ca466c0508
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 cmd expired-cert fingerprint lolbin msiexec packed short-lived-cert similar-threat wix
Link:
https://www.filescan.io/uploads/69bd68884678eefbc7afe094/reports/a47f7f08-9680-4aee-abf1-e4523c632044/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/75a5384d05ffc4e0e4deb4c55e0bc09d9edf32a346e4bc95716aa853eadc0d59
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/75a5384d05ffc4e0e4deb4c55e0bc09d9edf32a346e4bc95716aa853eadc0d59
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
Detections:
Trojan-Dropper.Win32.Agentb.rt Trojan.Win64.Agentb.lhpe Trojan.Win32.Waldek.sb Trojan.MSIL.BypassUAC.sb Backdoor.Win32.Zegost.sb
Link:
https://opentip.kaspersky.com/75a5384d05ffc4e0e4deb4c55e0bc09d9edf32a346e4bc95716aa853eadc0d59/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1886961
Signature
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found API chain indicative of debugger detection
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886961 Sample: 5a5175.msi Startdate: 20/03/2026 Architecture: WINDOWS Score: 64 72 gce-beacons.gcp.gvt2.com 2->72 74 beacons5.gvt3.com 2->74 76 7 other IPs or domains 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 PE file contains section with special chars 2->80 9 msiexec.exe 14 44 2->9         started        13 inf.exe 2 2->13         started        15 Chrom-Setup.exe 1 2->15         started        17 34 other processes 2->17 signatures3 process4 dnsIp5 44 C:\Windows\Installer\MSI6539.tmp, PE32 9->44 dropped 46 C:\Windows\Installer\MSI64AC.tmp, PE32 9->46 dropped 48 C:\Windows\Installer\MSI5AF5.tmp, PE32 9->48 dropped 52 6 other malicious files 9->52 dropped 82 Drops executables to the windows directory (C:\Windows) and starts them 9->82 20 msiexec.exe 9->20         started        22 MSI64AC.tmp 9->22         started        24 MSI6539.tmp 9->24         started        50 C:\Users\user\AppData\Local\Temp\...\inf.tmp, PE32 13->50 dropped 84 Multi AV Scanner detection for dropped file 13->84 26 inf.tmp 12 13->26         started        86 Found API chain indicative of debugger detection 15->86 30 Chrom-Setup.exe 7 15->30         started        70 192.168.2.5, 138, 443, 49170 unknown unknown 17->70 32 chrome.exe 17->32         started        file6 signatures7 process8 dnsIp9 54 C:\Users\user\Documents\...\lJyKgz.exe (copy), PE32+ 26->54 dropped 56 C:\Users\user\Documents\SxJG\...\is-TPDS8.tmp, PE32+ 26->56 dropped 58 C:\Users\user\Documents\SxJG\...\is-GV5PV.tmp, PE32+ 26->58 dropped 62 2 other malicious files 26->62 dropped 88 Drops PE files to the document folder of the user 26->88 35 lJyKgz.exe 26->35         started        60 C:\Users\user\AppData\Local\...\updater.exe, PE32 30->60 dropped 37 updater.exe 20 14 30->37         started        64 108.177.122.132, 443, 49750 GOOGLEUS United States 32->64 66 142.250.31.95, 443, 49774, 49793 GOOGLEUS United States 32->66 68 28 other IPs or domains 32->68 file10 signatures11 process12 file13 42 C:\Program Files (x86)behaviorgraphoogle\...\updater.exe, PE32 37->42 dropped 40 updater.exe 4 37->40         started        process14
Score:
83%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/75a5384d05ffc4e0e4deb4c55e0bc09d9edf32a346e4bc95716aa853eadc0d59
Gathering data
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.BypassUAC
Link:
https://tip.neiki.dev/file/75a5384d05ffc4e0e4deb4c55e0bc09d9edf32a346e4bc95716aa853eadc0d59
Threat name:
Win32.Trojan.Ravartar
Create hunting rule
Status:
Malicious
First seen:
2026-03-20 04:52:28 UTC
File Type:
Binary (Archive)
Extracted files:
195
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=owstqtif77cobzg6wtcv4c6atwpn6mvdi3slzflrnkufh2w4bvmq._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
error
Gh0stRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution installer persistence privilege_escalation
Link:
https://tria.ge/reports/260320-syq7taa12n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Access Token Manipulation: Create Process with Token
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75a5384d05ffc4e0e4deb4c55e0bc09d9edf32a346e4bc95716aa853eadc0d59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/58334/

Comments