MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CastleLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85
SHA3-384 hash: 50eea0253a8b05f08c42d04c9bb33b09a86f53a681b4874b185c1ed6daa17e676ac999f328144a792bd40384e63957d3
SHA1 hash: 1f88e8ac20f26775ab639cacaed3bb5344cd9a2b
MD5 hash: 5b8a5f2e30c507a532e13aa1955714ef
humanhash: item-lion-orange-nitrogen
File name:e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85
Download: download sample
Signature CastleLoader
Create hunting rule
File size:95'132'820 bytes
First seen:2025-11-05 09:49:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81073f2b397217228357dd031a037bb5 (2 x CastleLoader)
ssdeep 393216:Slg0RgcdW48wApekwgTeD26OLp0iS69bKISga5ddIORieiFuNSG7vg6:SlKW8HpFLXBdanBRi
Threatray 2 similar samples on MalwareBazaar
TLSH T112283327F264D03DC06A173245B6E6A08A3B7E20DD064D4F17EC798DEF729A10E3BA55
TrID 38.1% (.EXE) InstallShield setup (43053/19/16)
36.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
9.3% (.EXE) Win64 Executable (generic) (10522/11/4)
4.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter JAMESWT_WT
Tags:CastleLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
441
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85
Verdict:
Suspicious activity
Analysis date:
2025-11-05 10:22:24 UTC
Tags:
themida vmprotect inno installer delphi
Link:
https://app.any.run/tasks/270fd9b9-f552-4172-8881-d4c72e640f4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690b1e57706befaf4ecbe69a
Tags:
cobalt virus bckdr hype
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug bloated corrupted expand expired-cert fingerprint installer-heuristic lolbin microsoft_visual_cc obfuscated overlay overlay packed packed packed pnputil securom themidawinlicense timeout
Link:
https://www.filescan.io/uploads/690b1f424425b0b1fd159b73/reports/54949a82-7e93-4f5e-b171-9726c328ff99/overview
Verdict:
Malicious
Labled as:
Win64/Agent_AGeneric.FOS trojan
Link:
https://www.hybrid-analysis.com/sample/e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-05T08:27:00Z UTC
Last seen:
2025-11-05T11:29:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85/results?tab=lookup
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e6aab1b6a150ee3cbc721ac2575c57309f307f69cd1b478d494c25cde0baaf85
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-11 07:55:30 UTC
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42vldnvbkdxdzpdsdlbfoxcxgcpta73jzunupdkjjqs43yf2v6cq._file
Verdict:
malicious
Label(s):
castleloader
Create hunting rule
Similar samples:
1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba
CastleLoader
Result
Malware family:
castlebot
Create hunting rule
Score:
  10/10
Tags:
family:castlebot actor:tag_150 apt discovery themida trojan vmprotect
Link:
https://tria.ge/reports/251105-lya29sfs3c/
Behaviour
System Location Discovery: System Language Discovery
Themida packer
VMProtect packed file
CaslteBOT
Castlebot family
Detects CastleBOT payload
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7ecfca3e-d121-4f1d-adfa-a24ae189c048
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments