MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96f4c0e85a1911ebad908fe91ef8de34f0b7cb122847129fb2c4ada944b2c2df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96f4c0e85a1911ebad908fe91ef8de34f0b7cb122847129fb2c4ada944b2c2df
SHA3-384 hash: 91ae6b4f7937aace81fe7754fcec1ccfdae8c960566337ebe89ba867a4be8c639af827dc0e27e7330fb779583d97b3f4
SHA1 hash: c5a911399a81a99dcfe510cfa0a3ece6e3b36124
MD5 hash: 27aa01115d2abaed4c832ab9cdf02863
humanhash: whiskey-grey-london-network
File name:MSTeams-8447.msi
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:24'564'224 bytes
First seen:2026-02-08 10:57:38 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:0hYATjU5HvQzvAc9jG/lwN6EOBcKY2hAOVozyAshV1zTd5oW/hylj2:0mj5HvQdjG/MOBcn27oEhV1d5Wlj2
TLSH T1A2373321B2CBC432C59E007AEDA9FE5D14BABE730B3150D7A3E5BD9E84B08C15274B56
TrID 77.3% (.MSI) Microsoft Windows Installer (454500/1/170)
10.3% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.5% (.MSP) Windows Installer Patch (44509/10/5)
3.3% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
1.3% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:154-218-3-133 CHN Gh0stRAT msi


Avatar
iamaachum
https://teams-app.com.cn/ => https://kemdjc2.huowdy.com/MSTeams.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/4ba4b12c-a92e-4869-a2aa-3e2f853025df/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52659/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69886c3142fd65534ccd67bb
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm base64 CAB cmd expired-cert farfli fingerprint installer lolbin msiexec packed runonce short-lived-cert update wix
Link:
https://www.filescan.io/uploads/69886c3f930564ff3c922ab9/reports/3f8e2461-312b-495b-a477-bfb5185dbff1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/96f4c0e85a1911ebad908fe91ef8de34f0b7cb122847129fb2c4ada944b2c2df
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/96f4c0e85a1911ebad908fe91ef8de34f0b7cb122847129fb2c4ada944b2c2df
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2026-02-08T08:05:00Z UTC
Last seen:
2026-02-08T08:24:00Z UTC
Hits:
~10
Detections:
Backdoor.Win32.Farfli.dcch Backdoor.Farfli.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/96f4c0e85a1911ebad908fe91ef8de34f0b7cb122847129fb2c4ada944b2c2df/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1865530
Signature
Contain functionality to detect virtual machines
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1865530 Sample: MSTeams-8447.msi Startdate: 08/02/2026 Architecture: WINDOWS Score: 68 81 Multi AV Scanner detection for submitted file 2->81 83 PE file contains section with special chars 2->83 10 VC_radist.x64.exe 2 2->10         started        13 msiexec.exe 14 44 2->13         started        16 MSTeamsSetup.exe 5 2->16         started        18 2 other processes 2->18 process3 dnsIp4 59 C:\Users\user\AppData\...\VC_radist.x64.tmp, PE32 10->59 dropped 21 VC_radist.x64.tmp 1 10->21         started        61 C:\Windows\Installer\MSID66B.tmp, PE32 13->61 dropped 63 C:\Windows\Installer\MSID62C.tmp, PE32 13->63 dropped 65 C:\Windows\Installer\MSICF35.tmp, PE32 13->65 dropped 69 6 other malicious files 13->69 dropped 89 Drops executables to the windows directory (C:\Windows) and starts them 13->89 23 msiexec.exe 13->23         started        25 MSID62C.tmp 13->25         started        27 MSID66B.tmp 13->27         started        67 C:\Users\user\AppData\Local\...\Update.exe, PE32 16->67 dropped 91 Contain functionality to detect virtual machines 16->91 29 Update.exe 17 6 16->29         started        71 23.204.23.20 AKAMAI-ASUS United States 18->71 73 127.0.0.1 unknown unknown 18->73 file5 signatures6 process7 dnsIp8 32 VC_radist.x64.exe 2 21->32         started        75 20.189.173.27 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->75 77 20.44.10.122 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->77 79 4 other IPs or domains 29->79 process9 file10 49 C:\Users\user\AppData\...\VC_radist.x64.tmp, PE32 32->49 dropped 35 VC_radist.x64.tmp 17 32->35         started        process11 file12 51 C:\inetpub\wwwroot\yJEa\...\is-R5Y8J9P3JH.tmp, PE32+ 35->51 dropped 53 C:\inetpub\wwwroot\yJEa\...\is-BWUB4F3JAT.tmp, PE32+ 35->53 dropped 55 C:\inetpub\...\Y83pWBIjvyLS.exe (copy), PE32+ 35->55 dropped 57 2 other malicious files 35->57 dropped 38 powershell.exe 35->38         started        41 powershell.exe 35->41         started        43 Y83pWBIjvyLS.exe 35->43         started        process13 signatures14 85 Loading BitLocker PowerShell Module 38->85 45 conhost.exe 38->45         started        47 conhost.exe 41->47         started        87 Found direct / indirect Syscall (likely to bypass EDR) 43->87 process15
Score:
57%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/96f4c0e85a1911ebad908fe91ef8de34f0b7cb122847129fb2c4ada944b2c2df
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net CAB:COMPRESSION:MSZIP Executable Managed .NET Office Document PDB Path PE (Portable Executable) PE File Layout SOS: 0.24 SVG
Link:
https://app.malva.re/file/27aa01115d2abaed4c832ab9cdf02863
Gathering data
Verdict:
Malicious
Threat:
Backdoor.Win32.Farfli
Link:
https://tip.neiki.dev/file/96f4c0e85a1911ebad908fe91ef8de34f0b7cb122847129fb2c4ada944b2c2df
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s32mb2c2dei6xlmqr7ur56g6gtylpsysfbdrfh5sysw2srfsylpq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion execution installer persistence privilege_escalation
Link:
https://tria.ge/reports/260208-m2yheaav9c/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Inno Setup is an open-source installation builder for Windows applications.
Access Token Manipulation: Create Process with Token
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
Enumerates connected drives
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96f4c0e85a1911ebad908fe91ef8de34f0b7cb122847129fb2c4ada944b2c2df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Microsoft Software Installer (MSI) msi 96f4c0e85a1911ebad908fe91ef8de34f0b7cb122847129fb2c4ada944b2c2df

(this sample)

Gh0stRAT

Executable exe adbe2e211ee1636d1e6d6a547cb7a84a977417794668ea5e9cca3bf859d0f8a6

  
Link
https://tria.ge/260208-mtz19sas6d/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/52659/
  
Dropping
SHA256 adbe2e211ee1636d1e6d6a547cb7a84a977417794668ea5e9cca3bf859d0f8a6
  
Dropping
MD5 40aa4fb7fb7f9e34d00e3d95831caf86

Comments