MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3232c7f77a8d126c696e362d943f07b714950e1012b38b3eb77982c5e2a06b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Gh0stRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash: c3232c7f77a8d126c696e362d943f07b714950e1012b38b3eb77982c5e2a06b5
SHA3-384 hash: ef1115ad020508789d275dea0d55a764ff038fb6feeaecb7472150558f7b3a62a235d9094d9ee5c33762c73ae859c663
SHA1 hash: c1c4b90b93aa6c8c3f0c840250f2e2f9023ac453
MD5 hash: 1561136d0f3bfcad251f1baf2ca42718
humanhash: nine-saturn-cola-violet
File name:cloudflared_installer2.exe
Download: download sample
Signature Gh0stRAT
File size:21'770'420 bytes
First seen:2026-02-10 13:43:22 UTC
Last seen:2026-02-10 14:27:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (91 x Gh0stRAT, 22 x ValleyRAT, 6 x OffLoader)
ssdeep 393216:3ZvqLv+Ie71+adtYJ5gngtdZ7obVYhEhYsEsSjG8oCi4ErIkcaSmDKxEA0CUB:J0v+IOrQngMdZaVYhKws8oCi4qpK8B
Threatray 798 similar samples on MalwareBazaar
TLSH T1AF273313A28B253FF47D4E3A89B3E216583B7B6239028C67A7F4485CDE121D52D3F646
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon e88e69d4d4cc8ee8 (4 x Gh0stRAT, 1 x QuasarRAT)
Reporter Ling
Tags:Cybercrime exe Gh0stRAT Malgent Patched Trojan:Win32/Malgent!MSR


Avatar
CNGaoLing
This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win32/Malgent!MSR)
IOC Domain [www.tamei.cyou]

Intelligence


File Origin
# of uploads :
2
# of downloads :
184
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LetsVPN2.exe
Verdict:
Malicious activity
Analysis date:
2026-02-07 10:40:30 UTC
Tags:
delphi

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
emotet nemty
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug embarcadero_delphi fingerprint inno installer installer installer-heuristic invalid-signature packed signed soft-404
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-02-04T06:05:00Z UTC
Last seen:
2026-02-12T02:46:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan.Win32.Gasipi.be
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Gathering data
Threat name:
Win32.Backdoor.Valleyrat
Status:
Malicious
First seen:
2026-02-07 10:55:38 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Result
Malware family:
valleyrat_s2
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery installer
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Badlisted process makes network request
Enumerates connected drives
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
127.0.0.1:443
www.noggrtea.cyou:80
www.noggrtea.cyou:8080
Malware family:
ValleyRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe c3232c7f77a8d126c696e362d943f07b714950e1012b38b3eb77982c5e2a06b5

(this sample)

  
Delivery method
Distributed via web download

Comments