MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CastleRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919
SHA3-384 hash: fb5d404695e6f51234d39077890e9b7cb14f33d045c640fff6867863c9f11e95dce7ae99abe774f7974d23e5337cc5c5
SHA1 hash: 5fd5058d11f0c6405886d9e38e62f4e608c6fd97
MD5 hash: a021630673fdf06c4669253d9e13075d
humanhash: winner-social-solar-speaker
File name:cotool.exe
Download: download sample
Signature CastleRAT
Create hunting rule
File size:16'484'864 bytes
First seen:2025-12-22 16:45:48 UTC
Last seen:2025-12-23 07:58:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 661fc69f3108697bc229d2ef311102dd (1 x CastleRAT)
ssdeep 98304:7MtFAoeoS90R2Ul3SMgyqZahkTNcX4Jp+eIbpgdQI:joeoJkUpNgyMpb+eIbp
TLSH T19AF6396B73A19168C26DC13EC0A38F41E8F374B91B33C6F79AA5036C5E619C85D7A724
TrID 39.5% (.EXE) Win64 Executable (generic) (10522/11/4)
37.6% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.6% (.EXE) OS/2 Executable (generic) (2029/13)
7.5% (.EXE) Generic Win/DOS Executable (2002/3)
7.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter ShadowOpCode
Tags:booking castlerat exe melasio-com miteamss-com partner-hotel-app

Intelligence

File Origin
# of uploads :
3
# of downloads :
106
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
https://partner-hotel-app.com?eggydeixrrerrgh
Verdict:
Malicious activity
Analysis date:
2025-12-22 13:28:55 UTC
Tags:
susp-clipboard clickfix arch-exec evasion castlerat rat
Link:
https://app.any.run/tasks/344fe6d6-690d-4c89-a55a-b50656a642be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
NightshadeC2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45751/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694975aa1f45795757236a2c
Tags:
smarts micro crypt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug embarcadero_delphi fingerprint keylogger packed
Link:
https://www.filescan.io/uploads/694975e1e126b9ff438cbc63/reports/1d08c927-b847-4499-a90d-2baa42d35d3f/overview
Verdict:
Malicious
Labled as:
Ser.Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-20T07:31:00Z UTC
Last seen:
2025-12-22T23:58:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.APosT.blvr Trojan.APosT.UDP.C&C BSS:Trojan.Win32.Generic Trojan-PSW.MSIL.Stealer.sb Trojan-Spy.Win32.Xegumumune.sbc
Link:
https://opentip.kaspersky.com/c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919/results?tab=lookup
Malware family:
Egairtigado
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a4a3e9b-2e4f-4162-bf00-3df9ecca89fc
Result
Threat name:
CastleRAT, NightshadeC2
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1837750
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Yara detected CastleRAT
Yara detected NightshadeC2
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1837750 Sample: cotool.exe Startdate: 22/12/2025 Architecture: WINDOWS Score: 100 36 miteamss.com 2->36 38 www.ip-api.com 2->38 40 steamcommunity.com 2->40 58 Suricata IDS alerts for network traffic 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected CastleRAT 2->62 64 3 other signatures 2->64 9 cotool.exe 2->9         started        12 cotool.exe 2->12         started        signatures3 process4 dnsIp5 68 Found many strings related to Crypto-Wallets (likely being stolen) 9->68 70 Unusual module load detection (module proxying) 9->70 15 cotool.exe 5 9->15         started        19 powershell.exe 34 9->19         started        42 23.214.233.226, 443, 49804, 49805 RELIANCEJIO-INRelianceJioInfocommLimitedIN United States 12->42 21 powershell.exe 33 12->21         started        signatures6 process7 dnsIp8 44 miteamss.com 45.134.26.41, 49694, 49695, 49698 SERV-TECHRU Russian Federation 15->44 46 www.ip-api.com 208.95.112.1, 49683, 49684, 80 TUT-ASUS United States 15->46 48 3 other IPs or domains 15->48 50 Tries to harvest and steal browser information (history, passwords, etc) 15->50 52 Tries to steal Crypto Currency Wallets 15->52 23 powershell.exe 15->23         started        26 conhost.exe 15->26         started        54 Found many strings related to Crypto-Wallets (likely being stolen) 19->54 56 Loading BitLocker PowerShell Module 19->56 28 conhost.exe 19->28         started        30 conhost.exe 21->30         started        32 WmiPrvSE.exe 21->32         started        signatures9 process10 signatures11 66 Loading BitLocker PowerShell Module 23->66 34 conhost.exe 23->34         started        process12
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
Executable Html PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/a021630673fdf06c4669253d9e13075d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919/
Verdict:
Malicious
Threat:
Trojan.Win32.UDP
Link:
https://tip.neiki.dev/file/c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-22 16:45:26 UTC
File Type:
PE+ (Exe)
Extracted files:
111
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yon4lmyo56hlo2ujvfugi5whhnbzrfehwww4zuwa2aceywrd5emq._file
Verdict:
malicious
Label(s):
castlerat
Create hunting rule
Similar samples:
error
CastleRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/251222-t99c7swnfy/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a5476652-ab88-40c7-9ede-ca859a6b9137
Unpacked files
SH256 hash:
c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919
MD5 hash:
a021630673fdf06c4669253d9e13075d
SHA1 hash:
5fd5058d11f0c6405886d9e38e62f4e608c6fd97
Link:
https://www.unpac.me/results/e4c50a1a-c9d6-4dee-be72-2e52c7ba34dc/
Malware family:
CastleRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c39bc5b30eef/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NightshadeC2
Create hunting rule
Author:YungBinary
Description:NightshadeC2 AKA CastleRAT - https://x.com/YungBinary/status/1963751038340534482
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

CastleRAT

PowerShell (PS) ps1 0d9c9204ca58d57a76d753bf4ef8a423177bf7b9a9294e49baa0f3067a8cbbd3

CastleRAT

zip 897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702

CastleRAT

Executable exe c39bc5b30eef8eb76a89a9686476c73b43989487b5adccd2c0d0044c5a23e919

(this sample)

  
Dropped by
SHA256 897b5ed78e91053fa292f8a459a061250863d70427e97c3eff164a299cc1f702
  
Dropped by
MD5 3c28bcaf72e41f41edc6e19d8e39a3da
Cape
Cape
https://www.capesandbox.com/analysis/45751/

Comments