MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CastleRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 15 File information Comments

SHA256 hash:	8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402
SHA3-384 hash:	e7311288c689c2b2e589f382323e94ca801b9c5b5e9ea76271e4c2208b1b8030e5f2b8c5bd7dd731d93a5b464c366f01
SHA1 hash:	1c7eaeb3540f98854bf25caf8d3486bbd0e1788f
MD5 hash:	d9266e1046dcb50d7888f0123937e1c2
humanhash:	sierra-ten-bacon-hydrogen
File name:	2026-01-21_d9266e1046dcb50d7888f0123937e1c2_glassworm_icedid_luca-stealer_njrat_stealc.exe
Download:	download sample
Signature	CastleRAT Create hunting rule
File size:	1'649'152 bytes
First seen:	2026-03-29 04:03:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	feb81294efff63737bcc7d08a56f0729 (1 x CastleRAT)
ssdeep	24576:2Rf0IUYY0AAh6t19jAexbIV6KpBPPq0Adou3hLBCUQq1q5zWjUGn6xIsKxLT:/NaSRFjU5en
TLSH	T13F75D507EBB651E4D8FAC1399666722BBC71385983349BD797408A474B62FF0E93E340
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	KnownSpotter
Tags:	castlerat exe

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

2026-01-21_d9266e1046dcb50d7888f0123937e1c2_glassworm_icedid_luca-stealer_njrat_stealc.exe

Verdict:

Malicious activity

Analysis date:

2026-03-12 01:49:41 UTC

Tags:

nightshadec2 botnet castlerat rat

Link:

https://app.any.run/tasks/b94bc2f5-e0ce-45c2-a07c-5b1e3780592a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NightshadeC2

Link:

https://www.capesandbox.com/analysis/59654/

Detection(s):

Win.Malware.Marte-10058720-0

YARA.CAPE_Nightshadec2.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b21bb45a439615ccbf9bbe

Tags:

infosteal dropper keylog virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Restart of the analyzed sample

DNS request

Connection attempt

Sending an HTTP GET request

Creating a window

Launching a process

Creating a process with a hidden window

Setting a global event handler for the keyboard

Connection attempt to an infection source

Sending a TCP request to an infection source

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug castlerat crypto evasive fingerprint keylogger microsoft_visual_cc nightshadec2 stealer unsafe windows

Link:

https://www.filescan.io/uploads/69c8a485e2df9aa488bc4b9f/reports/6516f3b9-bee2-4eda-85f6-21077c33250d/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-01-19T01:00:00Z UTC

Last seen:

2026-03-30T14:08:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/58a50720-f10f-40b9-8f7c-0809ca050bfc

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402/

Verdict:

Malicious

Threat:

Trojan-Spy.Win32.Stealer

Link:

https://tip.neiki.dev/file/8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402

Threat name:

Win64.Trojan.Vigorf

Status:

Malicious

First seen:

2026-01-20 02:05:00 UTC

File Type:

PE+ (Exe)

AV detection:

21 of 36 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ruxhpejofyoz3dfpw5wukytint5k2vlmuhprsgn7xiyewmizgqba._file

Verdict:

malicious

Label(s):

castlerat

Similar samples:

error

CastleRAT

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware stealer

Link:

https://tria.ge/reports/260329-emgx4sg14k/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402

MD5 hash:

d9266e1046dcb50d7888f0123937e1c2

SHA1 hash:

1c7eaeb3540f98854bf25caf8d3486bbd0e1788f

Link:

https://www.unpac.me/results/16d4301a-69ae-4622-8363-060b8a1a5dbd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	Macos_Infostealer_Wallets_8e469ea0 Create hunting rule
Author:	Elastic Security

Rule name:	NightshadeC2 Create hunting rule
Author:	YungBinary
Description:	NightshadeC2 AKA CastleRAT - https://x.com/YungBinary/status/1963751038340534482

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_NightshadeC2_80e08aba Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/59654/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample