MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GhostPulse


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6
SHA3-384 hash: f6dc615258a3e01d5dca7ec119428579b1eaeafb0056820f517bad5656e4291da0dda7410b52184a2cb332803f58b81f
SHA1 hash: ff6d03be9c128d8739ddde6ac744e37fbfef6a04
MD5 hash: 1547ece531048c43158517daec04a0f8
humanhash: kansas-fruit-charlie-hamper
File name:kythy.exe
Download: download sample
Signature GhostPulse
Create hunting rule
File size:10'380'926 bytes
First seen:2026-06-18 09:40:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (24 x HijackLoader, 15 x GhostPulse, 14 x ValleyRAT)
ssdeep 196608:+p1lOqylhm+91VFNRS4Zrw5DEGGS2FRybV7aB/zw01FoiXYg0D:+pGlYAV3RSc4DESWB7oBgQ
Threatray 153 similar samples on MalwareBazaar
TLSH T140A6331273A011FBE511C6F1AF5DEF225633F34012142B17AAE9EE167E2782B460B6DD
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.8% (.EXE) Win64 Executable (generic) (6522/11/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (23 x HijackLoader, 15 x GhostPulse, 11 x LummaStealer)
Reporter BlinkzSec
Tags:GhostPulse

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
vidar
Create hunting rule
ID:
1
File name:
_faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6.exe
Verdict:
Malicious activity
Analysis date:
2026-06-18 09:41:51 UTC
Tags:
hijackloader loader delphi auto-startup stealer stealc vidar
Link:
https://app.any.run/tasks/eb970414-6693-448b-a245-1315d5708bb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HijackLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71146/
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a33bd5754a045c3408a21c2
Tags:
autorun delphi ramnit
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Replacing files
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-18T03:54:00Z UTC
Last seen:
2026-06-20T00:38:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Strab.sb Trojan-Spy.Win32.Agent.a HEUR:Trojan.Win32.Loader.gen Trojan.Win32.Zenpak.sb Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Stealerc.TCP.C&C Trojan-PSW.Stealerc.HTTP.C&C
Link:
https://opentip.kaspersky.com/faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6/results?tab=lookup
Malware family:
IDAT Loader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/baa3cd55-b643-4f0b-8cdf-1c09bff4dcbf
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6/
Verdict:
Malicious
Threat:
Family.GHOSTPULSE
Link:
https://tip.neiki.dev/file/faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-06-18 09:39:05 UTC
File Type:
PE (Exe)
Extracted files:
102
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kx4ich3lm7wsb5ram7ytpdlqvu5mawh5actfaa6tgxu3sqrcd3a._file
Verdict:
malicious
Label(s):
tinyutility
Create hunting rule
snappyclient
Create hunting rule
hijackloader
Create hunting rule
vidar
Create hunting rule
Similar samples:
02cbc77d52e12aea6a6c9db36c07d2eccd1af9d39b88b3802b40cb10d088b30c
GhostPulse
5273fc9f5c5c754bf37c58a391fe9ea7d98de470f042d2478d3beb0b71838b77
GhostPulse
55684278ed162f10379c34fada191127a6378b3280ca334dc29e87ca8a119130
GhostPulse
562d8f8381ad20a7140a5b7a060ff4ee60484eb815bf442f7071e293678ca95d
GhostPulse
642ecaab44fc4a09fce541bc7c639e77a5f9aa5ef28ca87b595df3c87afb12f8
GhostPulse
c88a5bba3b32d6c4cfe3c2d33ea8eb5ada10314a8e049ce02d5cda94abd5aeb8
GhostPulse
f5056d55f44c071a2d99b0dcc4ecb93e5b945c8327d2ddb64b2e624fc01c62be
GhostPulse
+ 143 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader credential_access discovery loader spyware stealer
Link:
https://tria.ge/reports/260618-lpbbnsat3z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Detects HijackLoader (aka IDAT Loader)
Family: HijackLoader, IDAT loader, Ghostulse,
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6
MD5 hash:
1547ece531048c43158517daec04a0f8
SHA1 hash:
ff6d03be9c128d8739ddde6ac744e37fbfef6a04
Link:
https://www.unpac.me/results/4cec2898-81ff-4b41-81cd-6de39d165625/
SH256 hash:
015a1aa41f4418802ba110dd5f3c8e9ea65bf5abe8ee22b7340daaa0c353bb97
MD5 hash:
d977bec6681c16dec7d74b2f2326643f
SHA1 hash:
29a90233db30db28be47f7b224c4f2d05c0dcd82
Link:
https://www.unpac.me/results/4cec2898-81ff-4b41-81cd-6de39d165625/
SH256 hash:
f06f29be40224f1c6b066a763ed256492d7b2a431ed0918ffcc2fa25a0d6f6b7
MD5 hash:
dda50ee8572bee448ab55672ba4273e6
SHA1 hash:
8140b4aac551cf7da820c91b1f32eaee6d0f14da
Link:
https://www.unpac.me/results/4cec2898-81ff-4b41-81cd-6de39d165625/
SH256 hash:
a6682606b82702142fe8d050ed0fa358fc5cd41e4f1e70c2f7fe94cac6894b9b
MD5 hash:
4c7a7fbcda5b1b1182c5aa50d8a26836
SHA1 hash:
855d93e8b7ae25c664ebdfb079c8761ab15a059d
Link:
https://www.unpac.me/results/4cec2898-81ff-4b41-81cd-6de39d165625/
SH256 hash:
587da076595a127d1dcad40659142dff4c6e0c254cb530cece8d396b459384c7
MD5 hash:
d76d408d8a2548079f8454a46a4312fc
SHA1 hash:
dce456c82f8af85e484ff86e7a9394ed4bb35e6c
Link:
https://www.unpac.me/results/4cec2898-81ff-4b41-81cd-6de39d165625/
SH256 hash:
8af6babba9e2212b8319e72aa67a2b8de45357a9311d7d36c654bd5f033848ce
MD5 hash:
5bfa2332b5672accd0acc7620aacde71
SHA1 hash:
e8c077467bffbaf0476c3fadc2382e63c5751f59
Link:
https://www.unpac.me/results/4cec2898-81ff-4b41-81cd-6de39d165625/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/faafc408fb5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GhostPulse

Executable exe faafc408fb5b3f6907b1033f89bc6b8569d602c7e80532801e99af4dca1110f6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3866183/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3853312/
Cape
Cape
https://www.capesandbox.com/analysis/71146/

Comments