MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab3ec31453f4b0b0c6f09c30473acfc7caaac93927af3f483edeeb254c4270eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 10 File information Comments

SHA256 hash:	ab3ec31453f4b0b0c6f09c30473acfc7caaac93927af3f483edeeb254c4270eb
SHA3-384 hash:	3e5a8a19228bcf41ee7b76509e05e43a2c98258702c782c4ef1958ea754f65387b93b62f8e4d91b8a32e04d190e28ae4
SHA1 hash:	246b3d9ecf5d947c8d91ae95a62f69043565bdc1
MD5 hash:	5fac2bcbe4196084e3f584c4dac99ca3
humanhash:	uncle-violet-kansas-robin
File name:	_setup64.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	14'874'572 bytes
First seen:	2025-07-02 07:19:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd455830ba918de67076b7c65d86586 (67 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep	393216:+PH0cbgC6nF8F+TMovNn8O/alox9oJjNMpz:qHqaF/o1n8OEc5pz
TLSH	T132E62313B28BA13FF07A5A320AA6C12655336F616A134C97EBF4082DDF351D42D3F696
TrID	62.3% (.EXE) Inno Setup installer (107240/4/30) 24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 6.1% (.EXE) Win64 Executable (generic) (10522/11/4) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	c420198cc4d1f030 (1 x Gh0stRAT)
Reporter	kafan_shengui
Tags:	exe Gh0stRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_setup64.exe

Verdict:

Malicious activity

Analysis date:

2025-07-02 07:18:13 UTC

Tags:

phishing

Link:

https://app.any.run/tasks/36ab5b5e-1ee0-4466-b2af-5b95cd11e22a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/11937/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6864dd36900df8e7f8655375

Tags:

shellcode dropper spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Searching for the window

Creating a file

Moving a recently created file

Creating a process with a hidden window

Launching a service

Creating a service

DNS request

Unauthorized injection to a system process

Enabling autorun for a service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

embarcadero_delphi fingerprint installer invalid-signature overlay overlay packed signed

Link:

https://www.filescan.io/uploads/6864dd82714e106cecb9980f/reports/b97a85bd-bbc3-40a6-a6eb-63fb4b6710e6/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/ab3ec31453f4b0b0c6f09c30473acfc7caaac93927af3f483edeeb254c4270eb

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b91f3648-0295-4775-8e91-dbe5a9377106

Score:

35%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/ab3ec31453f4b0b0c6f09c30473acfc7caaac93927af3f483edeeb254c4270eb

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/5fac2bcbe4196084e3f584c4dac99ca3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab3ec31453f4b0b0c6f09c30473acfc7caaac93927af3f483edeeb254c4270eb/

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-07-02 07:18:14 UTC

File Type:

PE (Exe)

AV detection:

13 of 38 (34.21%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vm7mgfct6sylbrxqtqyeoowpy7fkvsjze6xt6sb633vsktccodvq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/250702-h5pmfstvbx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

System Location Discovery: System Language Discovery

Drops file in System32 directory

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7aeae6cc-d921-4224-9d05-64d2d19d7b1e

Unpacked files

SH256 hash:

ab3ec31453f4b0b0c6f09c30473acfc7caaac93927af3f483edeeb254c4270eb

MD5 hash:

5fac2bcbe4196084e3f584c4dac99ca3

SHA1 hash:

246b3d9ecf5d947c8d91ae95a62f69043565bdc1

Link:

https://www.unpac.me/results/41c7944a-542e-4972-91bd-b7255504e432/

SH256 hash:

038d3d884aba55b12cf569a306392aa135e89fe505a64f1fb0903ca787f70fde

MD5 hash:

306b344cd8bb36936ff0f3b6106d5e2c

SHA1 hash:

da7c455a576fc6f26fdc3d719b477a730a23a230

Link:

https://www.unpac.me/results/41c7944a-542e-4972-91bd-b7255504e432/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ab3ec31453f4b0b0c6f09c30473acfc7caaac93927af3f483edeeb254c4270eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/11937/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::AllocateAndInitializeSid advapi32.dll::ConvertSidToStringSidW advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW advapi32.dll::EqualSid advapi32.dll::FreeSid
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken advapi32.dll::OpenThreadToken kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetVolumeInformationW kernel32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetSystemDirectoryW kernel32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample