MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da
SHA3-384 hash: 77d9c66345d0e91c4ba65946e98b7e2b78e539b14ee206b5e30197fbf11c647ed597a235fa7ce3491ec6774fc649bcc2
SHA1 hash: 2855ba9589a87dcdac9b10bc386fb06a0581ea5e
MD5 hash: 05f518982807fa4037bbd29fb068049a
humanhash: seven-ten-pennsylvania-april
File name:liulanSetup-1263.msi
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:26'039'296 bytes
First seen:2026-03-18 11:19:06 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:jXG+LqVJEVEzdWPTZFyRXyX64Jrx/BBk4aIEVmCa3Ur3Jxpp7uEY7fAERV3z2oPd:jngJuPkQ64TBu5VmCaAVp7uVLN2i5
TLSH T101473325E6DFC532D66E407AE925FE1C08B9BEB3473015D7B3E8B9AE84B08C15274742
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter Ling
Tags:Gh0stRAT msi SilverFox Trojan:Win32/Malgent!MSR


Avatar
CNGaoLing
This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win32/Malgent!MSR)

SilverFox
IOC (Domain ee.bsjdwn.com) (IP 185.203.39.52) (IP 185.203.39.55)

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/740c9729-d267-4066-a8fe-a76279b3a9e8/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57978/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba8a4088c80c01586b9c39
Tags:
stration virus small
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 CAB cmd expand expired-cert explorer explorer fakeapp findstr fingerprint fingerprint installer lolbin lolbin msiexec packed rundll32 short-lived-cert wix
Link:
https://www.filescan.io/uploads/69ba8a394678eefbc7ae1898/reports/9023814c-4430-4e27-b39f-e7e27bb7d4df/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
Detections:
Trojan.Win32.Waldek.sb Trojan.MSIL.BypassUAC.sb Backdoor.Win32.Zegost.sb
Link:
https://opentip.kaspersky.com/b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da/results?tab=lookup
Score:
79%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da
Gathering data
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.BypassUAC
Link:
https://tip.neiki.dev/file/b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wuz5dsfh4vxxapdy7nmpemturhhtwqkb4didawu6d5rw7cdkwlna._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
error
Gh0stRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution installer persistence privilege_escalation trojan
Link:
https://tria.ge/reports/260318-ne1jxsgz4t/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Access Token Manipulation: Create Process with Token
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks whether UAC is enabled
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Microsoft Software Installer (MSI) msi b533d1c8a7e56f703c78fb58f2327489cf3b4141e0d0305a9e1f636f886ab2da

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57978/

Comments