MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd
SHA3-384 hash: 2de415b96242b27f1575fa5dd6a74581d3f61c3cf8e67239cc86c51c10fc7fad3fd0ee98ab66e7f58f3d368f6867fa35
SHA1 hash: 1d21abee50b1ee7fd01fcc21166f1f8455704082
MD5 hash: 7ec79854bd2fb14b8a5c92ae336bb014
humanhash: cardinal-fanta-alabama-november
File name:Firefox Installer.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:3'587'778 bytes
First seen:2026-05-18 10:48:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (81 x Gh0stRAT, 22 x ValleyRAT, 6 x OffLoader)
ssdeep 98304:35fgQnypnQcHttg+E2o3ItcCJ/P1eBCwpgZ:JbnypnFHttgID9QCf
Threatray 705 similar samples on MalwareBazaar
TLSH T124F50127B2CB653FF0AA4A364977E212593B7A6169134C6797F4085CCF2A0D02E3F746
TrID 63.8% (.EXE) Inno Setup installer (107240/4/30)
24.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (6522/11/2)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter Ling
Tags:Cybercrime exe Gh0stRAT SilverFox ValleyRAT


Avatar
CNGaoLing
Cybercrime
IOC (Domain oidng2.duoshit.com)

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/db0778c2-e325-4202-844b-31edd747a1ed/
Malware family:
n/a
ID:
1
File name:
Firefox Installer.exe
Verdict:
No threats detected
Analysis date:
2026-05-18 10:45:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65e14faa-2073-4956-82c3-009a3be8b3ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66274/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0aee773f97dd5ad5ac2885
Tags:
injection dropper
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic packed reconnaissance
Link:
https://www.filescan.io/uploads/6a0aee77efbd399b39b6d2f2/reports/c263e53f-febe-4b81-bd90-9eddcf8e3933/overview
Verdict:
Malicious
Labled as:
Trojan.Agent.oa
Link:
https://www.hybrid-analysis.com/sample/c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-17T23:13:00Z UTC
Last seen:
2026-05-17T23:27:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Convagent.gen
Link:
https://opentip.kaspersky.com/c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/268baa47-4392-45c1-8e6d-cc3bdd1d8769
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/7ec79854bd2fb14b8a5c92ae336bb014
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd/
Verdict:
Malicious
Threat:
Trojan.Win32.Convagent
Link:
https://tip.neiki.dev/file/c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-05-18 06:37:48 UTC
File Type:
PE (Exe)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgfmtf7c7hppqpxc3roh5bhaarbdvi27otewawaudza476u5whgq._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
6d21ee2bece595eaec2814ee8c475dc278b37476645251fe5ee9d309bc58bade
Gh0stRAT
7a876df85aec34d6cc3758543e5f423008d55bd2b6efb8630f7578a9d161b848
Gh0stRAT
a4ac7e6a322f8ad738247897c50c4e272ee9b3ff331576b0ac5f86e389b34086
Gh0stRAT
bf3328f7f04d8c1bb4ba499e4e9d867d35115dfd1908258817dc604e751ad870
Gh0stRAT
c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd
Gh0stRAT
error
Gh0stRAT
fbdc52e893c216d9069764379d6b7d08f13c2572d8b92f30a8ea999421301918
Gh0stRAT
+ 695 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd
MD5 hash:
7ec79854bd2fb14b8a5c92ae336bb014
SHA1 hash:
1d21abee50b1ee7fd01fcc21166f1f8455704082
Link:
https://www.unpac.me/results/d19a22b1-fc99-4bfc-885f-c1376dce5162/
SH256 hash:
e265544e6764459dd02530080af9e68942b5dd33105d435464bf92335231cc88
MD5 hash:
e5ba823ee037d5b2f37d455af1a6cb43
SHA1 hash:
92a17ccf80af5279eb551f02755985e2eba8b565
Link:
https://www.unpac.me/results/d19a22b1-fc99-4bfc-885f-c1376dce5162/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/66274/

Comments