File name:

SoftUpdate.exe.v

Full analysis: https://app.any.run/tasks/227464f9-6138-4adc-bf04-b56e67c664eb
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: September 20, 2024, 15:44:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rat
gh0st
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

533D850489F356C37ABD269C47E57D1D

SHA1:

59697AD75F1EE2758B62F9707F7E2BD2586A1356

SHA256:

1A03E49C1D3E121D435402E3925E2BC334CA6B49D09DFEFC6DF6B9F8E876858B

SSDEEP:

196608:kkI8saqIbf8LAHcpPOAMzPY+dloybPlF9ToooY09w2zZwDyFHvOcQQ93:fI8tqIr8LA84IqhF9To/FzCDyFkQ93

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for self-deleting

      • SoftUpdate.exe.v.exe (PID: 6476)

    • GH0ST has been detected (SURICATA)

      • Dtldt.exe (PID: 6660)

  • SUSPICIOUS

    • Executes as Windows Service

      • Dtldt.exe (PID: 6208)

    • Executable content was dropped or overwritten

      • SoftUpdate.exe.v.exe (PID: 6476)

    • Starts CMD.EXE for commands execution

      • SoftUpdate.exe.v.exe (PID: 6476)

    • Hides command output

      • cmd.exe (PID: 2772)

    • Application launched itself

      • Dtldt.exe (PID: 6208)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2772)

    • Reads security settings of Internet Explorer

      • Dtldt.exe (PID: 6660)

    • Connects to unusual port

      • Dtldt.exe (PID: 6660)

    • Contacting a server suspected of hosting an CnC

      • Dtldt.exe (PID: 6660)

  • INFO

    • Reads the computer name

      • SoftUpdate.exe.v.exe (PID: 6476)
      • Dtldt.exe (PID: 6208)
      • Dtldt.exe (PID: 6660)

    • Checks supported languages

      • SoftUpdate.exe.v.exe (PID: 6476)
      • Dtldt.exe (PID: 6208)
      • Dtldt.exe (PID: 6660)

    • Reads CPU info

      • Dtldt.exe (PID: 6660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:19 06:40:44+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x1b75086
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start softupdate.exe.v.exe dtldt.exe no specs cmd.exe no specs #GH0ST dtldt.exe conhost.exe no specs ping.exe no specs softupdate.exe.v.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2772C:\WINDOWS\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\admin\Desktop\SOFTUP~1.EXE > nulC:\Windows\SysWOW64\cmd.exeSoftUpdate.exe.v.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
3108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4476"C:\Users\admin\Desktop\SoftUpdate.exe.v.exe" C:\Users\admin\Desktop\SoftUpdate.exe.v.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\softupdate.exe.v.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6208C:\WINDOWS\SysWOW64\Dtldt.exe -autoC:\Windows\SysWOW64\Dtldt.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\syswow64\dtldt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6476"C:\Users\admin\Desktop\SoftUpdate.exe.v.exe" C:\Users\admin\Desktop\SoftUpdate.exe.v.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\softupdate.exe.v.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6660C:\WINDOWS\SysWOW64\Dtldt.exe -acsiC:\Windows\SysWOW64\Dtldt.exe
Dtldt.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\windows\syswow64\dtldt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6868ping -n 2 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
648
Read events
646
Write events
2
Delete events
0

Modification events

(PID) Process:(6476) SoftUpdate.exe.v.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Select
Operation:writeName:MarkTime
Value:
2024-09-20 15:44
(PID) Process:(6660) Dtldt.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\ActiveMovie\devenum
Operation:writeName:Version
Value:
7
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6476SoftUpdate.exe.v.exeC:\Windows\SysWOW64\Dtldt.exeexecutable
MD5:533D850489F356C37ABD269C47E57D1D
SHA256:1A03E49C1D3E121D435402E3925E2BC334CA6B49D09DFEFC6DF6B9F8E876858B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5900
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1776
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5900
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.189.173.9:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.35:443
Akamai International B.V.
DE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
5900
svchost.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRat
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SoftUpdate.exe.v