MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca53fabc32fc7b9d0441806ccf239b16644a75c5ad7104db640e2ec2338c29c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gh0stRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	ca53fabc32fc7b9d0441806ccf239b16644a75c5ad7104db640e2ec2338c29c8
SHA3-384 hash:	1e06d9eeb6e75997680bd7d3decc6dd2202a0811b326ae485e5afc01c4582bd13bb64d794c94d90c375af410116f8222
SHA1 hash:	71f2f6ff2a14a15d98ce8551f657e2c77cbd13d1
MD5 hash:	5b46fe5b3d4d895724a3ae3c05395fa1
humanhash:	winter-six-nitrogen-table
File name:	AceLauncher.exe
Download:	download sample
Signature	Gh0stRAT Create hunting rule
File size:	2'709'648 bytes
First seen:	2025-08-21 00:27:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efd455830ba918de67076b7c65d86586 (58 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep	49152:ZxXXm66OsEiwZarx4SXmeOaICYcOCjabxtfR7vusFMzubCuYJfUJtkWy1:ZxHXsDOuxDWeOvCN4xtf+JuYJfUJ9y1
TLSH	T1CBC5F123B2CB653FF17A8A3649B7D222493B7B6165138C669BF4086CCF261D01D3F646
TrID	60.0% (.EXE) Inno Setup installer (107240/4/30) 23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.8% (.EXE) Win64 Executable (generic) (10522/11/4) 3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	3e376a4ccc491345 (3 x Gh0stRAT)
Reporter	AntiSkidding
Tags:	EvilChef exe Gh0stRAT signed TamperedChef

Code Signing Certificate

Organisation:	Sunstream Labs (Capital Intellect Inc.)
Issuer:	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2024-11-15T00:00:00Z
Valid to:	2025-11-14T23:59:59Z
Serial number:	0a996159295e70ce0a7e393dd7b94b55
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	2ac3ba13f64ddbaf132d67254c08a6af9735d10dae6c8e85145d9c26c89bd13b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

243

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://www.acelauncher.com/

Verdict:

Malicious activity

Analysis date:

2025-08-20 22:33:54 UTC

Tags:

qrcode delphi inno installer stealer arch-exec auto generic

Link:

https://app.any.run/tasks/f97eda72-37c4-48aa-b284-a2819baca9b4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22639/

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a668298fd55a79c529871d

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Restart of the analyzed sample

DNS request

Connection attempt

Sending a custom TCP request

Loading a suspicious library

Searching for the window

Unauthorized injection to a recently created process

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug embarcadero_delphi fingerprint installer overlay packed signed threat zero

Link:

https://www.filescan.io/uploads/68a6682ea4bdac9f5ba1bf69/reports/bf25deb0-9978-41e5-a37d-d577970d40b8/overview

Verdict:

Suspicious

Labled as:

Trojan.Alien.aiuu

Link:

https://www.hybrid-analysis.com/sample/ca53fabc32fc7b9d0441806ccf239b16644a75c5ad7104db640e2ec2338c29c8

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e410bd4c-3eb6-447e-81ef-8e64f4c9113d

Score:

24%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/ca53fabc32fc7b9d0441806ccf239b16644a75c5ad7104db640e2ec2338c29c8

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/5b46fe5b3d4d895724a3ae3c05395fa1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ca53fabc32fc7b9d0441806ccf239b16644a75c5ad7104db640e2ec2338c29c8/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zjj7vpbs7r5z2bcbqbwm6i43czseu5ofvvyqjw3ebyxmem4mfhea._file

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/250821-aslq2aykx5/

Behaviour

Script User-Agent

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Reads user/profile data of web browsers

System Location Discovery: System Language Discovery

Executes dropped EXE

Checks computer location settings

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/498b72da-f294-4883-b0ec-17f317e5ded6

Unpacked files

SH256 hash:

ca53fabc32fc7b9d0441806ccf239b16644a75c5ad7104db640e2ec2338c29c8

MD5 hash:

5b46fe5b3d4d895724a3ae3c05395fa1

SHA1 hash:

71f2f6ff2a14a15d98ce8551f657e2c77cbd13d1

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

31e9e57b283575e654016c623b1f45fca30997f0a991bbc7ffcf7df059584876

MD5 hash:

08d35f02b87808317f743a65401108ce

SHA1 hash:

f034427870fdbb4cda9bd5d429e4f9a9f2d9efd6

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

07ef19b651b57eb91aeea3d3a333f0016fd68cd1ac3dc7274e8aa06f2d9385cf

MD5 hash:

d10f070b329166e406716d0025f49a76

SHA1 hash:

0ab57e49990da7c93ea2f418e444afbafca12d4f

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

21660dbf9e5aca7f9600c778f60e11f9b81f0303f9e3fa9e1bc3f866d617a5e3

MD5 hash:

d8dc57caae5666690e9df6ef3cdde415

SHA1 hash:

1691488e6389d17450b1b7053142b772e52ebda6

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

a03a07000c56ec93077468f917807855ba4a2599e0e3e8372def7d5441849b60

MD5 hash:

9e24740487110178e9e2d7c179f026db

SHA1 hash:

2d8be6b91096e3947ba6701c47f94b3c58d24ba8

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

caf049d4a0fb603b98384bc1f8351a0a780fb849e19f1e353963b5ad81e36f21

MD5 hash:

6cf63116133782df076342ef85075eb1

SHA1 hash:

34b629dfa059bd9e0af3946cae04877ac63f4dd6

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

Parent samples :

3b76f84893607107497cfd838126ddfcc333f87aa71166d1696686618c577a94
95821099ba6bf139a8a748c9de9752604740b5ef2565a6db36fc740bb26ccf29
ca53fabc32fc7b9d0441806ccf239b16644a75c5ad7104db640e2ec2338c29c8

SH256 hash:

8a01128f928b500600738bbd6e18ec0cf03faf734f3212e16077f0a3b5ae138e

MD5 hash:

158ee415baa7600eb6f930a6f277a0c9

SHA1 hash:

73cc2b25f5f5f10f4af795218280a65a87e9575f

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

31fb413d80dac8ecac419d598ccb2f3103d25663baa68743cfe8bd6ebe300d5c

MD5 hash:

bd04a01cc02e018217380bcde2ad3aca

SHA1 hash:

84eafed1d665dfb177d705b850acec592981f451

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

9cb4373ba67c45b3b83eb82797f1aa1d7d3f4292791fdde5ce85a6251a94ea30

MD5 hash:

671244a83305cc67c7a16cc2bfaba932

SHA1 hash:

8a323030ac9d1592c562a85dc60a879619ca62cf

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

6874ec0f3520ccad0fc72ec9cc718d91d9ddbba6e6b9e721f4576f1516939d28

MD5 hash:

5fbdfbbe1af2b992f684e60611d3e6cc

SHA1 hash:

b8ce4401c07a43d276c612aed9d19c28257b7c41

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

e29d1c9981369d1e2aa3c56f40765eace8bb8d7aa1912ce74581b7f38dfe50cd

MD5 hash:

a7628b5c5c9c53f45cf2a42a288dfecc

SHA1 hash:

bf7d9068377986e117aadaf4a5fe9f633f3883c4

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

728345e56b9dbed6f1981821a5d744c8bf6102c672b65c1977d919d6781aca7f

MD5 hash:

b069ad964726de1137a2417af5d03952

SHA1 hash:

d702f6b050d57f6d4afc9d90bba769b618cf717e

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

SH256 hash:

c2c5fff238b6b28d94581a07cbe856e9770db63e544a3159fceff267eee47284

MD5 hash:

cf032b813d523c635961702496136e00

SHA1 hash:

df1e96b9c98d4822014787a0cd697f660dc25228

Link:

https://www.unpac.me/results/9ccc7a94-215e-4f28-b28f-5cd17431c319/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.94

Link:

https://yomi.yoroi.company/submissions/ca53fabc32fc7b9d0441806ccf239b16644a75c5ad7104db640e2ec2338c29c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/22639/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::AllocateAndInitializeSid advapi32.dll::ConvertSidToStringSidW advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW advapi32.dll::EqualSid advapi32.dll::FreeSid
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken advapi32.dll::OpenThreadToken kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetVolumeInformationW kernel32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetSystemDirectoryW kernel32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample