MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443
SHA3-384 hash: 832774c86ca0665a5704e0503d0ed9a50326d798f8ff21b62374aa34ae711a44b22a666a41b2b685b928800f8315aa0c
SHA1 hash: f36e27bb4d9f1da78e5496d8aa169bd509c399db
MD5 hash: 5ff577c8e34c2a061f7e2345b9269eea
humanhash: leopard-three-monkey-pasta
File name:F_Exe1
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:19'597'244 bytes
First seen:2026-03-31 14:30:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (9 x OffLoader, 9 x HijackLoader, 8 x ValleyRAT)
ssdeep 393216:yDUyyrCXbSog5gwvkrerTe9Ve1I/2tNt8EtQmdBDvdn8oOjblIQggliprD:2c+bS55gSkCXMI1msLJx7DvmoAhIC+D
Threatray 625 similar samples on MalwareBazaar
TLSH T1C3173313B18E673EF06B8A3659625A51543FBA21652ECC73C6E08A4CCE1E0641DBFF47
TrID 61.4% (.EXE) Inno Setup installer (107240/4/30)
23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.7% (.EXE) Win64 Executable (generic) (6522/11/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 70e88ece8e8ee870 (1 x Gh0stRAT)
Reporter aachum
Tags:bb-kgdhjc-com CHN exe Gh0stRAT


Avatar
iamaachum
https://teams-app.com.cn/ => https://lek3jjdne.x98665.com/Teams12.5.zip

C2: bb.kgdhjc.com (154.218.3.136:22)

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
MSTeams_370.msi
Verdict:
No threats detected
Analysis date:
2026-03-31 14:31:54 UTC
Tags:
generated-doc
Link:
https://app.any.run/tasks/d63d6ea5-8812-4a20-964b-2fc57e252c7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/59914/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cbdabc3a18a6e1ddf00a57
Tags:
spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Moving a recently created file
Connection attempt
Launching a service
Creating a service
Enabling autorun for a service
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic packed soft-404
Link:
https://www.filescan.io/uploads/69cbdab82346b9da57b39d7b/reports/54c3a592-0ffb-4c46-bbed-6ee80b341ae3/overview
Verdict:
Suspicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443
Verdict:
Clean
File Type:
exe x32
First seen:
2026-03-31T12:52:00Z UTC
Last seen:
2026-04-01T00:01:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1891514
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Drops PE files to the document folder of the user
Hijacks the control flow in another process
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1891514 Sample: F_Exe1.exe Startdate: 31/03/2026 Architecture: WINDOWS Score: 100 91 hc15.bitf.net 2->91 103 Suricata IDS alerts for network traffic 2->103 105 Multi AV Scanner detection for dropped file 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 6 other signatures 2->109 11 F_Exe1.exe 2 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 85 C:\Users\user\AppData\Local\...\F_Exe1.tmp, PE32 11->85 dropped 22 F_Exe1.tmp 11 11->22         started        123 Changes security center settings (notifications, updates, antivirus, firewall) 14->123 26 MpCmdRun.exe 14->26         started        125 Unusual module load detection (module proxying) 17->125 93 127.0.0.1 unknown unknown 19->93 28 dasHost.exe 19->28         started        file6 signatures7 process8 dnsIp9 77 C:\Users\user\Documents\...\wi.Gh (copy), PE32+ 22->77 dropped 79 C:\Users\user\Documents\...\is-N1JMI.tmp, PE32+ 22->79 dropped 81 C:\Users\user\Documents\...\is-HSVK4.tmp, PE32+ 22->81 dropped 83 2 other files (1 malicious) 22->83 dropped 111 Drops PE files to the document folder of the user 22->111 31 PMlRF.exe 1 22->31         started        34 powershell.exe 33 22->34         started        36 powershell.exe 33 22->36         started        38 conhost.exe 26->38         started        95 192.168.2.10 unknown unknown 28->95 97 239.255.255.250 unknown Reserved 28->97 file10 signatures11 process12 signatures13 127 Adds a directory exclusion to Windows Defender 31->127 129 Maps a DLL or memory area into another process 31->129 40 elevation_service.exe 31->40         started        43 powershell.exe 31->43         started        131 Loading BitLocker PowerShell Module 34->131 45 conhost.exe 34->45         started        47 conhost.exe 36->47         started        process14 signatures15 113 Creates an undocumented autostart registry key 40->113 115 Hijacks the control flow in another process 40->115 117 Writes to foreign memory regions 40->117 121 2 other signatures 40->121 49 sihost.exe 40->49 injected 53 netsh.exe 40->53         started        55 cmd.exe 40->55         started        59 16 other processes 40->59 119 Loading BitLocker PowerShell Module 43->119 57 conhost.exe 43->57         started        process16 dnsIp17 87 154.218.3.133, 22, 52697 BILLY-AS-APAntboxNetworkCN Seychelles 49->87 99 Unusual module load detection (module proxying) 49->99 101 Creates files in the system32 config directory 53->101 61 conhost.exe 53->61         started        63 conhost.exe 55->63         started        65 icacls.exe 55->65         started        67 icacls.exe 55->67         started        89 192.168.2.1 unknown unknown 59->89 69 conhost.exe 59->69         started        71 conhost.exe 59->71         started        73 conhost.exe 59->73         started        75 11 other processes 59->75 signatures18 process19
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/5ff577c8e34c2a061f7e2345b9269eea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-03-31 11:48:06 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xe4dnjsyoyhes7c23wl4rkfum5nplm277zlo7fnvnzvkccoterbq._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
4dfbe6c31795df455a524891c834173ee7d69e1ecea512ae345a4c173e83e465
Gh0stRAT
52bc6f40fbaaaca7535503c680ae568c9968eea1cad48d609ee7952565067048
Gh0stRAT
59e86e944f7eed1e774378c3eea29189f4b246da3713f8ebc2e0b5e4bdef751f
Gh0stRAT
6ff6f1c3645aba69a76956ec87d2932a9ed58c61a56a30bc7cc3f89d539510fb
Gh0stRAT
753b303973168c299f18023a946dd0771efddebc484f4c0f91cf0351ec5d23dd
Gh0stRAT
82400202f2bfeaa2b43111ad71931f00a27f47409001ece27f54009440b1643f
Gh0stRAT
9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02
Gh0stRAT
a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145
Gh0stRAT
b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443
Gh0stRAT
error
Gh0stRAT
+ 615 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution installer
Link:
https://tria.ge/reports/260331-rvv6xsbs8l/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Executes dropped EXE
Unpacked files
SH256 hash:
b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443
MD5 hash:
5ff577c8e34c2a061f7e2345b9269eea
SHA1 hash:
f36e27bb4d9f1da78e5496d8aa169bd509c399db
Link:
https://www.unpac.me/results/aff8612a-c622-448d-a931-8fcf13bbc452/
SH256 hash:
d61872fcf9a06696e6d7f1733541361cadc21e5bbda895fd470158c79a6926d6
MD5 hash:
94212ab96bb9885a8e208f360d31f088
SHA1 hash:
6da6ecbe202805a8e8abed1e0359d311f85d0dee
Link:
https://www.unpac.me/results/aff8612a-c622-448d-a931-8fcf13bbc452/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b93836a65876/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Microsoft Software Installer (MSI) msi 0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea

Gh0stRAT

Executable exe b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443

(this sample)

  
Link
https://tria.ge/260331-rm9pcaa17k/behavioral2
  
Dropped by
SHA256 0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/59914/
  
Dropped by
MD5 754e5826ad8389170fe886a16d876244

Comments