MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GhostSocks


Vendor detections: 13


Intelligence 13 IOCs YARA 30 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7
SHA3-384 hash: d69508742f4c8495cef3d7e4dd59daf06ac995ff7ba9f9120c7eaf04a863881348466e360f7e2b9c1fc4aff99cc43e42
SHA1 hash: 80c8eae9d68b74ce35b1cfd75b7532f3ca1216d1
MD5 hash: 766387eac5b4cfb4e8eac592d115a856
humanhash: network-ack-white-early
File name:Renewable.exe
Download: download sample
Signature GhostSocks
Create hunting rule
File size:12'350'480 bytes
First seen:2025-11-18 06:41:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dba7c9befb7b5aa49387e723ba713fea (1 x GhostSocks)
ssdeep 196608:jgfMI54YsDVf4nN5LXo/79W9BFXZwQ46uSk:jha5Rrroz9kXZa
TLSH T108C6CFC367F91732E6AE0F79ACBC45110A71BD06BE2DE60E1945B4AB8977340B903367
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 4cb26964b0cc45ba (3 x Rhadamanthys, 1 x RaccoonStealer, 1 x LummaStealer)
Reporter abuse_ch
Tags:exe GhostSocks

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4-KMSpico.rar
Verdict:
Malicious activity
Analysis date:
2025-11-17 18:12:01 UTC
Tags:
autoit lumma stealer loader golang
Link:
https://app.any.run/tasks/24f61906-8367-41a9-a55b-6064473d203e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38525/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691c1554bdb0ec3a9dc30034
Tags:
dropper micro
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm anti-vm base64 evasive expired-cert installer-heuristic invalid-signature keylogger overlay packed privilege reconnaissance short-lived-cert signed
Link:
https://www.filescan.io/uploads/691c1550ee9cbb28043f17d7/reports/25142594-6213-43a1-ae27-f0b4c8a102fc/overview
Verdict:
Suspicious
Labled as:
GenKryptik.HMXO trojan
Link:
https://www.hybrid-analysis.com/sample/ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7
Verdict:
Clean
File Type:
exe x32
First seen:
2025-11-17T11:21:00Z UTC
Last seen:
2025-11-19T23:17:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/24a4e90d-e061-480f-88ab-f05287dadbe8
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1815787
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious PE digital signature
Connects to many ports of the same IP (likely port scanning)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Multi AV Scanner detection for submitted file
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
Download SVG
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.09 SOS: 0.10 SOS: 0.12 SOS: 0.14 SOS: 0.17 SOS: 0.18 SOS: 0.19 SOS: 0.22 SOS: 0.24 SOS: 0.26 SOS: 0.27 SOS: 0.30 SOS: 0.33 SOS: 0.34 SVG Win 32 Exe x86
Link:
https://app.malva.re/file/766387eac5b4cfb4e8eac592d115a856
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7/
Verdict:
Malicious
Threat:
NetworkReferences.Malware.Generic
Link:
https://tip.neiki.dev/file/ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-18 04:28:57 UTC
File Type:
PE (Exe)
Extracted files:
628
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kjysrr37vty4q66f2ynkwpwphcbujcyqs35tpb2znetpfnrlldq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/251118-hgjrasvndp/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/62a4805a-e85d-4075-b78b-5627f8f6cee6
Unpacked files
SH256 hash:
ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7
MD5 hash:
766387eac5b4cfb4e8eac592d115a856
SHA1 hash:
80c8eae9d68b74ce35b1cfd75b7532f3ca1216d1
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
4fb1cebbc0e9d7843ca30020a113a50292a0f163093fbb84e5a7cb102596ea8b
MD5 hash:
b7cadd53edb77f68dab0e6f5b22f86eb
SHA1 hash:
14de486aeabed48cf7c255f5db0d389f2b471133
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
cfce08672bab618056153ba2c5dd931b535bfc0f55da25934ad838a5152a77a0
MD5 hash:
a5ada74946fe4397f72dc7a4fb719a81
SHA1 hash:
e1edbb813176ef5c1761283dd203c1c0dec1e926
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
76df182382478f933ace810f5de6cd2fd6d3b55cc1274729a7bc501c35135e6b
MD5 hash:
116b38262c44d09b561d67be225c7658
SHA1 hash:
26cf616e11c9f6c75ab48763b6cadc8235fd53cc
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
df7c12623ac5912348b7b1596e614cd0a29dc5dd06f28a050c16462c455c2f9a
MD5 hash:
6ab9a4a1769b24f4f7ea01e0633f5e2c
SHA1 hash:
aa99c0d82f3636f9d4decbb17831c74aa81cefbc
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
bb431ce8a63bbebe65675b3a10782dd0d1ee30f42e018e16f75cad6093b5d635
MD5 hash:
b05baf8d15ac47e905d00c91881adbf5
SHA1 hash:
f4b9bde529434eb64b3f2e09e79cdfcae8617272
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
cec5809965c3a0ec90e83b2fe4f905e930bf1a10b453bd82e60f974536603980
MD5 hash:
100d29766aab7c08950f9b4187057f76
SHA1 hash:
38b0164dc1bb6ebdf69dad72ffb05ee382b40374
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
f2a0cc383bdecae1ac3fc3ded8e448cc7b0ba977745d7d061b07b759e5827295
MD5 hash:
c5ca47b1eae81801786198e08da063d0
SHA1 hash:
ca62f6a544bd614d2c00881bcb25998091ce9f01
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
aad03208376c4a1d1b9afbb6a547afda7a674e1bd08c2b9e67c35839988ac9c7
MD5 hash:
948445d7b42ddfcd86d3c039809cfe72
SHA1 hash:
75342b17401a49cc45a9dd65274e4d1806796faf
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
41223c4a8d2433fed4e4b8062f59f20ce9839676fd0a5f70551920ef6d362481
MD5 hash:
099ed163f33ebe67e0734f8f3e85f842
SHA1 hash:
994786cedb42065f9ce840ad9473cbeff3279824
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
d4f08d4f434ecb9063f25b5b19d5e33941c2940061fd15bb3edaf873269772ec
MD5 hash:
b9ff501f1e784053f14e473cd761798d
SHA1 hash:
bd3005df22ecda611151e3befc14ba141fb215a6
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
4b1b8d041ba16cef7f1dbaab69b8621e6268acc328157e1312a79fa4c2c37fb9
MD5 hash:
fef184dfe67b759b4db18faf32aa4607
SHA1 hash:
55b89dcce308b144096d5ac730f0756da96ff732
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
cd61e306d312d724499ef1084adc5fe237aaa1a54c96367b68b36214753b5a4a
MD5 hash:
94eb13eb12f41284ebe1525eebcc4cc2
SHA1 hash:
81b33da307898341b0d6314e2b73a8daada0d015
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
540551133e333a02e1f8b67adb44e06a2353069d599774566c3b7652e470acdd
MD5 hash:
3fb16c3fdccef35c1c6030346aa7f45a
SHA1 hash:
23778f211dbc961bfb03886485bdaff65ed319b1
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
fc2b2f005adf47577e1b8390477929ef878f1a734ca7fe5d9364259bdfd7af6c
MD5 hash:
11fd233698ef270cae106373a92a75d5
SHA1 hash:
33c6de4aac5828cc6af331b1efd7821aa6d43437
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
6fbed35d8bdb0bc3aad6282a0c6be924fb7a948bf7500a0c808fb9f8e067a9cf
MD5 hash:
af97680b59dd54df6bee1f2671c2510f
SHA1 hash:
47f11a1629156b3173f7bbcfd54fc23454556582
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
3827078c988e4723c1053ae0bfddd522db2be2192b6cf479e7aa788a226ca010
MD5 hash:
1d96dd26400bd3e3927f1f0c5f50510b
SHA1 hash:
9756c7a5c6e16b45513c379945a103bf97dc14cc
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
f482ac407cec6b46accaa0377cd905223414ab6f9a5a0acf226e288d7c9bfb95
MD5 hash:
2afae4f00a096efdd1790eb7f40beb4c
SHA1 hash:
e0ed152d8d10b12398a5e9010d3becb98d76bd75
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
507ade5cf8feae4b3dbaa80caf382a68791478c7d5b017ad8e1a245797a0c37e
MD5 hash:
3cfc0269001645639917e30d9260659d
SHA1 hash:
0ccd464f4d650c1a67facc7da36579a829471936
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
665de23a8f3dc24693f03059c9855e31c1a61f22fcea7f985486b45ab2ca6015
MD5 hash:
af2a68deacc38cc16560d404f130659f
SHA1 hash:
b2a34e962c659fe2d54996dd5a94502baadce726
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
2bf2ba7d6d5ec14f55c8023e78667c5aa899c0fd75018c801c7ca566308d91a4
MD5 hash:
2dd9859c9d889ea97237abdb0c0054cf
SHA1 hash:
0276c59150cc28db55409d079e772e081cb92c1c
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
5e1e474201c4a804900ca2ff405179a8f6676c0eedd72b62758a0f6ef02a4817
MD5 hash:
4e63c55815ff3499a23cff3d54f483e3
SHA1 hash:
9f5bc149fd9aa470290895fea26da0775f72bfd6
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
6c2b962b8d58bf9a2f52575753a7f83e288368441fe652bd40e3f94a48dbb755
MD5 hash:
d5e98b03fa9fd0bcd70b3d77d9b3d0ea
SHA1 hash:
aa5f49dc4d59d88ade3d0f1373fb448b342444f6
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
0b9bbe37c275d5dba6b2f7b06c59f4589af690d7dcd67f220d2b616665983cdd
MD5 hash:
a360b7142401353eab5249a0a035d43e
SHA1 hash:
324a9d6ddff64f9049ea7121e1e6536b5b76d4c7
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
SH256 hash:
4c7476b57782a6c13f3c7af399244835169dfb1897cce894b47db4df71a38064
MD5 hash:
fdcd5ccd51cd5ff7e14fabe11d242e00
SHA1 hash:
1bcc56f451176c645053b334ba3cfc52b1c5a481
Link:
https://www.unpac.me/results/04caf741-545d-4938-ac14-8618c6f13646/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GhostSocks

Executable exe ea9389463bfd678e43de2eb0d559f679c41a245884b7d9bc3acb493795b15ac7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3631825/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38525/

Comments