MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0
SHA3-384 hash:	d5a1536804265e93cf6ad0eba64770a0f73bd399366ca5bc0e0929ed1fb021f3b5448c54b05fed31bf4fc5688aed2bf6
SHA1 hash:	a131778f118e6d9514c8ca7b5c83d6ae10e6ca87
MD5 hash:	cab0982fbf54c3c1637d4a998ecc0103
humanhash:	fifteen-comet-cold-london
File name:	Instalador DXSafe Middleware - 1.0.34.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	19'807'106 bytes
First seen:	2026-01-14 20:54:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd455830ba918de67076b7c65d86586 (74 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep	393216:qfGNPP88gbdjKy4ASp+CPBH1/vbIJKnykRYBZh79Ff1c+cXrt:KI8/tSp+Un19ReZhZZqP
TLSH	T14A173327768765FEE46AC639497ED212453B7A916D228C2B52F808ECCF234D43D3F942
TrID	62.3% (.EXE) Inno Setup installer (107240/4/30) 24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 6.1% (.EXE) Win64 Executable (generic) (10522/11/4) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	cibai
Tags:	exe Gh0stRAT

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/d55e4001-fbb9-4f1c-be66-b190465fa56c/

Malware family:

n/a

ID:

File name:

Instalador DXSafe Middleware - 1.0.34.exe

Verdict:

No threats detected

Analysis date:

2026-01-14 20:56:17 UTC

Tags:

delphi inno installer

Link:

https://app.any.run/tasks/fa581f12-ead1-42ac-9d5e-55622b72c502

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48928/

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696802ca57243ef151cd30f1

Tags:

shellcode shell smtp

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed packed soft-404

Link:

https://www.filescan.io/uploads/696802c13827c9e1249e51cb/reports/bacfdb04-883a-4615-a23a-82c4c6568adc/overview

Verdict:

Malicious

Labled as:

Trojan.Alien.aiuu

Link:

https://www.hybrid-analysis.com/sample/b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0

Verdict:

Clean

File Type:

First seen:

2025-06-30T14:41:00Z UTC

Last seen:

2026-01-16T18:48:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0/results?tab=lookup

Score:

83%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/cab0982fbf54c3c1637d4a998ecc0103

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wxvc5hsvcmxmibgsn6pequrfgpokzzjnztrbxjet5uqtsow4dtqa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer

Link:

https://tria.ge/reports/260114-zqp34sex4g/

Behaviour

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Executes dropped EXE

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/17b3935e-85b7-4558-9128-f63f4bb413bb

Unpacked files

SH256 hash:

1752f052416dd49940c028c86850feda06dd0b8a76b94269767a0bd6c6559d95

MD5 hash:

8b97c05468b989426eadf5d2fa272a45

SHA1 hash:

01dd453ab703311c534f222fd9ec73e9957c3b99

Link:

https://www.unpac.me/results/7121d0db-d1cf-4a58-a7fb-7017738a010a/

SH256 hash:

6cf595ef67bb741195bab42f3540933c51d6a5fd942ae21c1f01010d2b823872

MD5 hash:

af24bf3a7769e5d29610efbcff90f806

SHA1 hash:

0199bb30a54f87f04f518e918cc20035338d58b5

Link:

https://www.unpac.me/results/7121d0db-d1cf-4a58-a7fb-7017738a010a/

SH256 hash:

7073c56f91bf2194f0aee2b5762139453a64202c4df7ecaf4be7c27bc4633deb

MD5 hash:

5697d9a72bba8682e4383afe42015e9f

SHA1 hash:

0624ae44b6d01fabe2aa14900023b652fed69dbb

Link:

https://www.unpac.me/results/7121d0db-d1cf-4a58-a7fb-7017738a010a/

SH256 hash:

ade10e1cdc5d215453375778710ebeb8f58d9d76a5b4a2b854a4843e6ab29e54

MD5 hash:

1da9f3537972657e389e183301d39e0e

SHA1 hash:

819a699dc624fe187fd554e394785e6ad7b40e05

Link:

https://www.unpac.me/results/7121d0db-d1cf-4a58-a7fb-7017738a010a/

SH256 hash:

b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0

MD5 hash:

cab0982fbf54c3c1637d4a998ecc0103

SHA1 hash:

a131778f118e6d9514c8ca7b5c83d6ae10e6ca87

Link:

https://www.unpac.me/results/7121d0db-d1cf-4a58-a7fb-7017738a010a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

exe b5ea2e9e55132ec404d26f9e48522533dcace52dcce21ba493ed21393adc1ce0

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/48928/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample