MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b64f52ee31323774fa3ce8a78f33706f870289629235b914c477d991a054fa2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b64f52ee31323774fa3ce8a78f33706f870289629235b914c477d991a054fa2c
SHA3-384 hash: b9ed66f8f9d2af10fc86a633b888f6bba78ca22830f5787e85603592d544e99b7e1c7a9c93befcbcfe848b1974c879b9
SHA1 hash: e28831a63114eba4f9d8f1c4d2b23d28a1d82967
MD5 hash: f6d1c961079cf7f05c1053724fa23dfe
humanhash: angel-colorado-indigo-tango
File name:MSTeams-8953.msi
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:24'037'888 bytes
First seen:2025-12-27 01:01:06 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:2s/ATjRbpM+0XaPpenZ6z/637v1GhC5a3Cyq5DDEpz6E1G7B6T9tr/bRoq94A5nN:2a4bp90Xesu64hC5mtq9DEnXtHRoqx9N
TLSH T1D6373325769BC532D96C407BEC68FE5E04BDBE63073011EBB7E83D5A88B08C19335A56
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:Gh0stRAT msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/61703b85-4303-4000-837e-ca4397f66148/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46201/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694f2fec038f10550b562eec
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 cmd expired-cert fingerprint installer lolbin msiexec short-lived-cert update wix
Link:
https://www.filescan.io/uploads/694f2fe784afa5547b5e96fc/reports/537555e6-a29d-4394-b3a3-ec8a1225478a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b64f52ee31323774fa3ce8a78f33706f870289629235b914c477d991a054fa2c
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b64f52ee31323774fa3ce8a78f33706f870289629235b914c477d991a054fa2c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-12-26T22:14:00Z UTC
Last seen:
2025-12-26T22:31:00Z UTC
Hits:
~10
Detections:
Backdoor.Farfli.TCP.ServerRequest Backdoor.Win32.Farfli.dbcb
Link:
https://opentip.kaspersky.com/b64f52ee31323774fa3ce8a78f33706f870289629235b914c477d991a054fa2c/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1840171
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contain functionality to detect virtual machines
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1840171 Sample: MSTeams-8953.msi Startdate: 27/12/2025 Architecture: WINDOWS Score: 100 118 Multi AV Scanner detection for dropped file 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 Uses schtasks.exe or at.exe to add and modify task schedules 2->122 124 4 other signatures 2->124 12 VC_radist.x64.exe 2 2->12         started        15 msiexec.exe 14 44 2->15         started        18 MSTeamsSetup.exe 5 2->18         started        20 8 other processes 2->20 process3 dnsIp4 92 C:\Users\user\AppData\...\VC_radist.x64.tmp, PE32 12->92 dropped 23 VC_radist.x64.tmp 1 12->23         started        94 C:\Windows\Installer\MSI3A5F.tmp, PE32 15->94 dropped 96 C:\Windows\Installer\MSI3A3F.tmp, PE32 15->96 dropped 98 C:\Windows\Installer\MSI34AF.tmp, PE32 15->98 dropped 102 6 other malicious files 15->102 dropped 136 Drops executables to the windows directory (C:\Windows) and starts them 15->136 25 MSI3A3F.tmp 15->25         started        27 msiexec.exe 15->27         started        29 MSI3A5F.tmp 15->29         started        100 C:\Users\user\AppData\Local\...\Update.exe, PE32 18->100 dropped 138 Contain functionality to detect virtual machines 18->138 31 Update.exe 15 5 18->31         started        104 40.126.28.18 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->104 106 23.4.43.62 AKAMAI-ASUS United States 20->106 140 Changes security center settings (notifications, updates, antivirus, firewall) 20->140 142 Unusual module load detection (module proxying) 20->142 34 MpCmdRun.exe 20->34         started        file5 signatures6 process7 dnsIp8 36 VC_radist.x64.exe 2 23->36         started        39 conhost.exe 25->39         started        112 51.105.71.137 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 31->112 114 52.113.194.132 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->114 116 3 other IPs or domains 31->116 process9 file10 82 C:\Users\user\AppData\...\VC_radist.x64.tmp, PE32 36->82 dropped 41 VC_radist.x64.tmp 36->41         started        process11 file12 84 C:\inetpub\manu84rcySHX\is-2F382.tmp, PE32+ 41->84 dropped 86 C:\inetpub\manu86rcySHX\is-1H32Q.tmp, PE32+ 41->86 dropped 88 C:\inetpub\manu88rcySHX\UaS.dll (copy), PE32+ 41->88 dropped 90 3 other malicious files 41->90 dropped 44 Cjq6Ht.exe 41->44         started        process13 signatures14 130 Adds a directory exclusion to Windows Defender 44->130 132 Maps a DLL or memory area into another process 44->132 134 Found direct / indirect Syscall (likely to bypass EDR) 44->134 47 elevation_service.exe 44->47         started        50 powershell.exe 44->50         started        process15 signatures16 144 Creates an undocumented autostart registry key 47->144 146 Writes to foreign memory regions 47->146 148 Allocates memory in foreign processes 47->148 150 Maps a DLL or memory area into another process 47->150 52 sihost.exe 47->52 injected 56 netsh.exe 47->56         started        58 cmd.exe 47->58         started        64 12 other processes 47->64 152 Loading BitLocker PowerShell Module 50->152 60 conhost.exe 50->60         started        62 WmiPrvSE.exe 50->62         started        process17 dnsIp18 108 192.238.192.11 LEASEWEB-USA-LAX-11US United States 52->108 126 Unusual module load detection (module proxying) 52->126 128 Creates files in the system32 config directory 56->128 66 conhost.exe 56->66         started        68 conhost.exe 58->68         started        70 icacls.exe 58->70         started        72 icacls.exe 58->72         started        110 192.168.2.1 unknown unknown 64->110 74 conhost.exe 64->74         started        76 conhost.exe 64->76         started        78 conhost.exe 64->78         started        80 5 other processes 64->80 signatures19 process20
Score:
87%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/b64f52ee31323774fa3ce8a78f33706f870289629235b914c477d991a054fa2c
Verdict:
njRat
YARA:
6 match(es)
Tags:
.Net CAB:COMPRESSION:MSZIP Executable Managed .NET njRat Office Document PDB Path PE (Portable Executable) PE File Layout RAT SOS: 0.24 SVG
Link:
https://app.malva.re/file/f6d1c961079cf7f05c1053724fa23dfe
Gathering data
Verdict:
Malicious
Threat:
Family.GH0STRAT
Link:
https://tip.neiki.dev/file/b64f52ee31323774fa3ce8a78f33706f870289629235b914c477d991a054fa2c
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-12-25 10:52:22 UTC
File Type:
Binary (Archive)
Extracted files:
128
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzhvf3rrgi3xj6r45cty6m3qn6dqfclcsi23sfgeo7mzdicu7iwa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251227-bdlm6avrfj/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/316b2a96-b34b-4386-a64c-4b32c154eb2c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b64f52ee31323774fa3ce8a78f33706f870289629235b914c477d991a054fa2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/46201/

Comments