MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CastleRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5
SHA3-384 hash:	42afccd55575d91afc7dde8fab54c415300082afe94ba908d1fa2116fee04311126ea34347ef98a78977a6e4f4d3691d
SHA1 hash:	9fd21b8defe7b9ebbebc422caf6fcab3df7f547c
MD5 hash:	5e112bf39e380e74bd820db22820a19b
humanhash:	mars-pip-romeo-helium
File name:	7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5
Download:	download sample
Signature	CastleRAT Create hunting rule
File size:	28'578'528 bytes
First seen:	2025-12-23 08:01:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 40 x GuLoader, 25 x RemcosRAT)
ssdeep	393216:CDQBb0vfMEeYC263y8US6z+WHlVDmOx/iD/0Fich2WPuaKxSms6c0Wd7tEOs9tl8:CDQY2YmCVdFVDMCcBx1hct7ar9nXX
Threatray	707 similar samples on MalwareBazaar
TLSH	T1F7573363E5D81993F47E2BB041BF1FE5CBF965982D02A09383874985B8B06713FA7D84
TrID	37.3% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	castlerat exe miteamss-com signed

Code Signing Certificate

Organisation:	NOMAC LLC
Issuer:	GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-08-20T17:37:55Z
Valid to:	2026-05-20T15:51:36Z
Serial number:	5c1c54f72bcc4db6079023ba
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	55f45f5a6562473b6d8348dbe15660a130cedc3b0fb4d7cf216d155f8211283c
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NSIS

Details

NSIS

extracted archive contents

Link:

https://research.acce.ciphertechsolutions.com/results/548b7530-f4d9-4a9e-b5af-34c867345041/

Malware family:

n/a

ID:

File name:

Advanced.IP.Scanner2.5.4594.1.exe

Verdict:

Malicious activity

Analysis date:

2025-12-23 08:02:40 UTC

Tags:

evasion python auto-startup websocket castlerat rat inno installer delphi advancedipscanner tool

Link:

https://app.any.run/tasks/a19917f7-5ee5-4a1b-9b4c-da7aba8caf77

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45813/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694a4c8fa6c88bb4cc23e700

Tags:

autorun extens sage blic

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug blackhole fingerprint installer installer installer-heuristic microsoft_visual_cc nemesis netscan nsis overlay packed python revoked-cert signed

Link:

https://www.filescan.io/uploads/694a4c88e8abb702f805e597/reports/5d755d00-6292-495a-a6c5-5e21ab70e93e/overview

Verdict:

Malicious

Labled as:

QD:Trojan.GenericQ

Link:

https://www.hybrid-analysis.com/sample/7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5

Verdict:

Adware

File Type:

exe x32

Detections:

HEUR:HackTool.Win32.NetScan.gen BSS:Trojan.Win32.Generic Backdoor.Python.Agent.gd NetTool.AdvancedIPScanner.HTTP.C&C not-a-virus:HEUR:NetTool.Win32.NetScan.gen not-a-virus:BSS:NetTool.Win32.IPScanner.gen

Link:

https://opentip.kaspersky.com/7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5/results?tab=lookup

Score:

17%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/5e112bf39e380e74bd820db22820a19b

Gathering data

Verdict:

Malicious

Threat:

NetTool.Win32.NetScan

Link:

https://tip.neiki.dev/file/7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2025-08-26 20:49:23 UTC

File Type:

PE (Exe)

Extracted files:

4084

AV detection:

16 of 36 (44.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ptrztlusyptzujpjae5szap6blordg62bjstg3i6lqrrmvg3agsq._file

Verdict:

malicious

Label(s):

admintool_radmin

admintool_advancedipscanner

CastleRAT

2daa85b39f3abd83588a142eff2d00476382336ab0f6d69bc68ad52b7302668e

CastleRAT

3a92efc85ed7e1cb989a837f14e2bae194b9808737dc8b0d8fd6b2b8a8fd2938

CastleRAT

3dc3ce7e513db3c3adba74b09d9894411eb98f05eb994d26a9e8ddc3381e5fa5

CastleRAT

73a216cc4a3694b52383f74a99ae75a7909c605317c8d6771ad3fbcf28c9249b

CastleRAT

7c63a1520ce81dc43d2170ef1570b49627655d33e4987be2cccf8e99d9d4c99f

CastleRAT

deef7b287e2b5d2cc1e22366eedee09031fca511ab0741a341f40dc82ba74453

CastleRAT

error

CastleRAT

ffed8cd32c68d30a9e0f3d4484084982ca92667a99ade3bf32d58125dcd15f5e

CastleRAT

+ 697 additional samples on MalwareBazaar

Result

Malware family:

castlerat

Score:

10/10

Tags:

family:castlerat actor:tag_150 apt discovery installer trojan

Link:

https://tria.ge/reports/251223-jxdewsymaz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

CastleRAT

Castlerat family

Detects Python variant of CastleRAT.

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e42452d7-72be-4eb3-8271-b3718e893882

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45813/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample