MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95821099ba6bf139a8a748c9de9752604740b5ef2565a6db36fc740bb26ccf29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	95821099ba6bf139a8a748c9de9752604740b5ef2565a6db36fc740bb26ccf29
SHA3-384 hash:	f8fbce57af92b211a8705b8d31691cae530e9722e58ec57f8d9903da617d3e4aa2cca5064cf5147e95955874634a4dce
SHA1 hash:	5e39b572d518ae6489f1d69bcf27061cc9b5c813
MD5 hash:	7e3340b478769aa5b9947eab431ec854
humanhash:	may-william-hydrogen-mississippi
File name:	AceLauncher.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	2'709'000 bytes
First seen:	2025-08-13 05:31:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd455830ba918de67076b7c65d86586 (58 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep	49152:cxXXm66Ost8YLLERAPhmLGtcm9pbqbxtfR7vusFMzubCuYJfUJtkWyD:cxHXstnERAPhmLuD9uxtf+JuYJfUJ9yD
TLSH	T1B6C5F123B2CB653FF07E4A364AB7D222593B7B6165128C669BF4086CCF260D11D3F646
TrID	60.0% (.EXE) Inno Setup installer (107240/4/30) 23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.8% (.EXE) Win64 Executable (generic) (10522/11/4) 3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	3e376a4ccc491345 (3 x Gh0stRAT)
Reporter	AntiSkidding
Tags:	exe Gh0stRAT signed

Code Signing Certificate

Organisation:	Sunstream Labs (Capital Intellect Inc.)
Issuer:	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2024-11-15T00:00:00Z
Valid to:	2025-11-14T23:59:59Z
Serial number:	0a996159295e70ce0a7e393dd7b94b55
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	2ac3ba13f64ddbaf132d67254c08a6af9735d10dae6c8e85145d9c26c89bd13b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

AceLauncher.exe

Verdict:

Malicious activity

Analysis date:

2025-08-13 05:34:45 UTC

Tags:

delphi inno installer auto-reg adware innosetup

Link:

https://app.any.run/tasks/18325c65-8ef7-4864-835e-dca0003d056e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/21037/

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689c23609901157561b5b27d

Tags:

injection dropper micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Restart of the analyzed sample

DNS request

Connection attempt

Sending a custom TCP request

Loading a suspicious library

Searching for the window

Unauthorized injection to a recently created process

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi fingerprint installer obfuscated overlay packed packed packer_detected signed

Link:

https://www.filescan.io/uploads/689c23609ef4d2ff7cf9c434/reports/fabef515-35a1-4d4e-9cba-4d4e69dfe6df/overview

Verdict:

Suspicious

Labled as:

Trojan.Alien.aiuu

Link:

https://www.hybrid-analysis.com/sample/95821099ba6bf139a8a748c9de9752604740b5ef2565a6db36fc740bb26ccf29

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5ec3be87-cf70-43d7-acee-39a4c0205530

Score:

24%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/95821099ba6bf139a8a748c9de9752604740b5ef2565a6db36fc740bb26ccf29

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/7e3340b478769aa5b9947eab431ec854

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/95821099ba6bf139a8a748c9de9752604740b5ef2565a6db36fc740bb26ccf29/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/95821099ba6bf139a8a748c9de9752604740b5ef2565a6db36fc740bb26ccf29

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=swbbbgn2npyttkfhjde55f2smbdubnppevs2nwzw7r2axmtmz4uq._file

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/250813-f8dy1sslv4/

Behaviour

Script User-Agent

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Reads user/profile data of web browsers

System Location Discovery: System Language Discovery

Executes dropped EXE

Checks computer location settings

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d8d92c78-3dd8-415f-8f1a-12b623ab20be

Unpacked files

SH256 hash:

95821099ba6bf139a8a748c9de9752604740b5ef2565a6db36fc740bb26ccf29

MD5 hash:

7e3340b478769aa5b9947eab431ec854

SHA1 hash:

5e39b572d518ae6489f1d69bcf27061cc9b5c813

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

6c103afcfcbc274496ea373f8bb7864c9c5c41ca7e87045e809704bb786c41b9

MD5 hash:

fb552233ef1a9380e2d1f7b6c316820d

SHA1 hash:

596e4062dde96dd71dda61834bd7958eecce607f

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

07ef19b651b57eb91aeea3d3a333f0016fd68cd1ac3dc7274e8aa06f2d9385cf

MD5 hash:

d10f070b329166e406716d0025f49a76

SHA1 hash:

0ab57e49990da7c93ea2f418e444afbafca12d4f

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

21660dbf9e5aca7f9600c778f60e11f9b81f0303f9e3fa9e1bc3f866d617a5e3

MD5 hash:

d8dc57caae5666690e9df6ef3cdde415

SHA1 hash:

1691488e6389d17450b1b7053142b772e52ebda6

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

a03a07000c56ec93077468f917807855ba4a2599e0e3e8372def7d5441849b60

MD5 hash:

9e24740487110178e9e2d7c179f026db

SHA1 hash:

2d8be6b91096e3947ba6701c47f94b3c58d24ba8

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

caf049d4a0fb603b98384bc1f8351a0a780fb849e19f1e353963b5ad81e36f21

MD5 hash:

6cf63116133782df076342ef85075eb1

SHA1 hash:

34b629dfa059bd9e0af3946cae04877ac63f4dd6

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

Parent samples :

3b76f84893607107497cfd838126ddfcc333f87aa71166d1696686618c577a94
95821099ba6bf139a8a748c9de9752604740b5ef2565a6db36fc740bb26ccf29
ca53fabc32fc7b9d0441806ccf239b16644a75c5ad7104db640e2ec2338c29c8

SH256 hash:

8a01128f928b500600738bbd6e18ec0cf03faf734f3212e16077f0a3b5ae138e

MD5 hash:

158ee415baa7600eb6f930a6f277a0c9

SHA1 hash:

73cc2b25f5f5f10f4af795218280a65a87e9575f

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

31fb413d80dac8ecac419d598ccb2f3103d25663baa68743cfe8bd6ebe300d5c

MD5 hash:

bd04a01cc02e018217380bcde2ad3aca

SHA1 hash:

84eafed1d665dfb177d705b850acec592981f451

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

9cb4373ba67c45b3b83eb82797f1aa1d7d3f4292791fdde5ce85a6251a94ea30

MD5 hash:

671244a83305cc67c7a16cc2bfaba932

SHA1 hash:

8a323030ac9d1592c562a85dc60a879619ca62cf

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

87e591217b8b70ba77c6ab4397178955ee622ac2d46c5e64c583e05f0dee6253

MD5 hash:

5bc05917d65e86b0eb091228856bfe3c

SHA1 hash:

a840af3ae6c9551940acae097dc69c0648e4fdd5

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

6874ec0f3520ccad0fc72ec9cc718d91d9ddbba6e6b9e721f4576f1516939d28

MD5 hash:

5fbdfbbe1af2b992f684e60611d3e6cc

SHA1 hash:

b8ce4401c07a43d276c612aed9d19c28257b7c41

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

e29d1c9981369d1e2aa3c56f40765eace8bb8d7aa1912ce74581b7f38dfe50cd

MD5 hash:

a7628b5c5c9c53f45cf2a42a288dfecc

SHA1 hash:

bf7d9068377986e117aadaf4a5fe9f633f3883c4

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

SH256 hash:

c2c5fff238b6b28d94581a07cbe856e9770db63e544a3159fceff267eee47284

MD5 hash:

cf032b813d523c635961702496136e00

SHA1 hash:

df1e96b9c98d4822014787a0cd697f660dc25228

Link:

https://www.unpac.me/results/fb9573fd-63b5-4a9e-9543-81030d34b913/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21037/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::AllocateAndInitializeSid advapi32.dll::ConvertSidToStringSidW advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW advapi32.dll::EqualSid advapi32.dll::FreeSid
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken advapi32.dll::OpenThreadToken kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetVolumeInformationW kernel32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetSystemDirectoryW kernel32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample