MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a876df85aec34d6cc3758543e5f423008d55bd2b6efb8630f7578a9d161b848. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	7a876df85aec34d6cc3758543e5f423008d55bd2b6efb8630f7578a9d161b848
SHA3-384 hash:	8a6483dbb3f41e82d92955fe4e792774e43431ba476875d07ee693bad3381bb8af97a065c614c233e2bac2b6bc5a1530
SHA1 hash:	967dda1caf6f82b3e65405abf7820574829079b5
MD5 hash:	4a5bd4ca17fb4e5a7a50125150f19039
humanhash:	eighteen-two-summer-venus
File name:	clashforw.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	90'105'206 bytes
First seen:	2026-05-17 15:44:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd455830ba918de67076b7c65d86586 (80 x Gh0stRAT, 22 x ValleyRAT, 6 x OffLoader)
ssdeep	1572864:6eVQZvz0tqxQD0fCGV6t0zrwk4Psh2RVNduwCUiXiG0KzKt+Xu7TcvdLS9qo21rM:6eKpz0tqxQA6Y6t04NlNduwChXXKMEcW
Threatray	1'401 similar samples on MalwareBazaar
TLSH	T15A183352B28B6477F5FA06360433D2422837E6A18710DD6BA7E9084EDF255D22D3FB4B
TrID	61.4% (.EXE) Inno Setup installer (107240/4/30) 23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.7% (.EXE) Win64 Executable (generic) (6522/11/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	89a9d9d8a499a502 (1 x Gh0stRAT)
Reporter	Ling
Tags:	exe Gh0stRAT SilverFox ValleyRAT

CNGaoLing

SilverFox
IOC (IP 154.12.19.41)

Intelligence

File Origin

# of uploads :

1

# of downloads :

128

Origin country :

US

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/511dc59d-986c-49d9-b4c0-2b10582fcb9e/

Malware family:

n/a

ID:

1

File name:

clashforw.exe

Verdict:

No threats detected

Analysis date:

2026-05-17 15:29:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/069bb876-a320-4f49-a465-26f6215e25f9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a09deb2c578ee253efe03e8

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic packed reconnaissance

Link:

https://www.filescan.io/uploads/6a09e2c3056ea44c4532916f/reports/818d8690-ac4e-4f17-b80a-8398ee496027/overview

Verdict:

Malicious

Labled as:

Trojan.Agent.oa

Link:

https://www.hybrid-analysis.com/sample/7a876df85aec34d6cc3758543e5f423008d55bd2b6efb8630f7578a9d161b848

Verdict:

Clean

File Type:

exe x32

First seen:

2026-05-17T13:02:00Z UTC

Last seen:

2026-05-17T13:15:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/7a876df85aec34d6cc3758543e5f423008d55bd2b6efb8630f7578a9d161b848/results?tab=lookup

Score:

96%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/7a876df85aec34d6cc3758543e5f423008d55bd2b6efb8630f7578a9d161b848

Gathering data

Verdict:

Clean

Link:

https://tip.neiki.dev/file/7a876df85aec34d6cc3758543e5f423008d55bd2b6efb8630f7578a9d161b848

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pkdw36c25q2nntbxlbkd4x2cgaenkw6sw3x3qyypov4ktulbxbea._file

Verdict:

suspicious

Label(s):

shellcode_loader_008

Similar samples:

a4ac7e6a322f8ad738247897c50c4e272ee9b3ff331576b0ac5f86e389b34086

bf3328f7f04d8c1bb4ba499e4e9d867d35115dfd1908258817dc604e751ad870

f9e250e824d18723366085f451f84c21d6db5ffed876ce0474018840c783f2fc

fbdc52e893c216d9069764379d6b7d08f13c2572d8b92f30a8ea999421301918

+ 1'391 additional samples on MalwareBazaar

Gathering data

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 7a876df85aec34d6cc3758543e5f423008d55bd2b6efb8630f7578a9d161b848

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample