MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CastleRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 32 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702
SHA3-384 hash: ffd004586ffa03a68d5b1457d27106932a72e2125b5dc888eeb94edd574df51251c0c2108f5d504dc64d34581ae2c092
SHA1 hash: 73ad12b56ff32f8c0efbef092a7e33e1ddcfe935
MD5 hash: 3c28bcaf72e41f41edc6e19d8e39a3da
humanhash: hot-speaker-don-carpet
File name:clepoy-cotool.zip
Download: download sample
Signature CastleRAT
Create hunting rule
File size:5'348'366 bytes
First seen:2025-12-22 16:44:41 UTC
Last seen:2025-12-23 07:57:38 UTC
File type: zip
MIME type:application/zip
ssdeep 98304:VxtzeTNlopy6DnS1mmREibOWRYlbNZtin61x42kBuEvpKe2GKLcq40ZKfzBp8fS1:VxteTkpyQnS1mmOiiiz2kj2Gw1RZuzBN
TLSH T1813633D81CF566E16A218F0267845C4198917F0E7AB63FC5B25281C0EE063B2F7F699F
Magika zip
Reporter ShadowOpCode
Tags:booking castlerat melasio-com miteamss-com partner-hotel-app zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
46
Origin country :
IT IT
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:cotool.exe
File size:16'484'864 bytes
SHA256 hash: c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919
MD5 hash: a021630673fdf06c4669253d9e13075d
MIME type:application/x-dosexec
Signature CastleRAT
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/a3200f71-79f0-44ea-873a-95c7d1a96fa5/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694975aa1f45795757236a2c
Tags:
smarts micro crypt
Result
Verdict:
Suspicious
File Type:
PE File
Link:
https://app.docguard.net/897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint keylogger packed
Link:
https://www.filescan.io/uploads/694975a33f8fdbf8e94eead4/reports/39167f00-3964-4c82-951a-911f47cb65b9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702
Verdict:
Malicious
File Type:
zip
First seen:
2025-12-22T14:11:00Z UTC
Last seen:
2025-12-22T17:05:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702/results?tab=lookup
Score:
81%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/3c28bcaf72e41f41edc6e19d8e39a3da
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-22 16:45:26 UTC
File Type:
Binary (Archive)
Extracted files:
112
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rf5v5v4osect7ius7csftidbeueghvyee7uxypx7czfcthgb64ba._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
persistence
Link:
https://tria.ge/reports/251222-vzj61axmbz/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Any_SU_Domain
Create hunting rule
Author:you
Description:Detect any reference to .su domains or subdomains
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_Submitting
Create hunting rule
Author:NCSC-CH / GovCERT
Description:Detects login forms in HTML content
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NightshadeC2
Create hunting rule
Author:YungBinary
Description:NightshadeC2 AKA CastleRAT - https://x.com/YungBinary/status/1963751038340534482
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win_stealer_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic stealer malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CastleRAT

PowerShell (PS) ps1 0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3

CastleRAT

zip 897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702

(this sample)

CastleRAT

Executable exe c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919

  
Dropped by
SHA256 0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3
  
Dropping
SHA256 c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919
  
Dropping
MD5 a021630673fdf06c4669253d9e13075d
  
Dropped by
MD5 0cf2b57111bc34574e9405aa9aacad58

Comments