MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4
SHA3-384 hash: 1fecaf721107483fd45cf381eda1cb1f2448d86a933ce1c15a0ced2109e7f63dcca1ad2068bfa6b8d11751b20ae52b82
SHA1 hash: 75940eec8742f0a18dbbe4731003c1679b007905
MD5 hash: 682f8007097d57089b6b952078dfefde
humanhash: apart-massachusetts-hotel-tennis
File name:uer-utuq.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:90'013'464 bytes
First seen:2026-05-21 03:25:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (87 x Gh0stRAT, 22 x ValleyRAT, 6 x OffLoader)
ssdeep 1572864:5m47bgDv1zGjnDl0hAENBqo0gDZHPrzyzNgargnchnAOnLS2ZcpNaW3hTr:hbUzqqFHPNZv8gajpQNakp
Threatray 1'432 similar samples on MalwareBazaar
TLSH T11C18332576C3817FF1B60A361A67E9635A7B7AB264170C67ABF0151CCF380A11E3F606
TrID 61.4% (.EXE) Inno Setup installer (107240/4/30)
23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.7% (.EXE) Win64 Executable (generic) (6522/11/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 64e4e0a039b6f861 (1 x Gh0stRAT)
Reporter Ling
Tags:exe Gh0stRAT SilverFox ValleyRAT


Avatar
CNGaoLing
SilverFox
IOC (IP 154.12.19.41)

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/48ba6688-cb63-4fc8-ba85-d804933a430c/
Malware family:
n/a
ID:
1
File name:
uer-utuq.exe
Verdict:
No threats detected
Analysis date:
2026-05-21 03:30:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d0759847-f5b2-4a99-9fc7-2a4fdd9f30eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0e7beb4f2b29ce040260f9
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic packed reconnaissance
Link:
https://www.filescan.io/uploads/6a0e7b70875badc3b38f39ee/reports/807a5d3b-ada8-4333-81f9-39277e9b63ff/overview
Verdict:
Malicious
Labled as:
Generik.FZZOPRC trojan
Link:
https://www.hybrid-analysis.com/sample/ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-21T00:24:00Z UTC
Last seen:
2026-05-22T02:03:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Convagent.gen
Link:
https://opentip.kaspersky.com/ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4/results?tab=lookup
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Convagent
Link:
https://tip.neiki.dev/file/ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-05-21 03:27:48 UTC
File Type:
PE (Exe)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjylyf4mmrnkkc5sfneelnks73pou2ouai4sft54k7lzzyt3ghka._file
Verdict:
suspicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
a4ac7e6a322f8ad738247897c50c4e272ee9b3ff331576b0ac5f86e389b34086
Gh0stRAT
bf3328f7f04d8c1bb4ba499e4e9d867d35115dfd1908258817dc604e751ad870
Gh0stRAT
c98ac997e2f9def83ee2dc5c7e84e004423aa35f74c96058141e41cffa9db1cd
Gh0stRAT
ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4
Gh0stRAT
f9e250e824d18723366085f451f84c21d6db5ffed876ce0474018840c783f2fc
Gh0stRAT
fbdc52e893c216d9069764379d6b7d08f13c2572d8b92f30a8ea999421301918
Gh0stRAT
+ 1'422 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer
Link:
https://tria.ge/reports/260521-dzkn4aey6l/
Behaviour
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe ca70bc178c645aa50bb22b4845b552fedeea69d4023922cfbc57d79ce27b31d4

(this sample)

  
Delivery method
Distributed via web download

Comments