File name:	5b73efe60ce4a31e0d4be12c608a08ce685eb11a6901b5a37e6a856dd21bcc7a
Full analysis:	https://app.any.run/tasks/65867488-0955-4846-8179-1ab27eae002d
Verdict:	Malicious activity
Threats:	Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	April 06, 2025, 06:42:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	gh0st rat sainbox zegost loader upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	3D0156E1F7FABBC3AF8A0063D86AE4D4
SHA1:	179047B99C4DBE290DE325A98995ADF485725EEB
SHA256:	5B73EFE60CE4A31E0D4BE12C608A08CE685EB11A6901B5A37E6A856DD21BCC7A
SSDEEP:	98304:WX5UXVxdjtPSVSg58bEvnB3H/eyJHEAsc3G1fC5RHxQUneevbG1AfhnxcANsZb7Z:AM

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:10:10 15:16:58+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	520192
InitializedDataSize:	1175552
UninitializedDataSize:	-
EntryPoint:	0x60e35
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	8.9.8.9
ProductVersionNumber:	8.9.8.9
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileVersion:	8.9.8.9
FileDescription:	应用程序
ProductName:	应用程序
ProductVersion:	8.9.8.9
CompanyName:	Osama bin Mohammed bin Awad bin Laden
LegalCopyright:	Osama bin Mohammed bin Awad bin Laden
Comments:	应用程序


(PID) Process:	(6700) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Select
Operation:	write	Name:	MarkTime
Value: 2025-04-06 06:43
(PID) Process:	(4692) TXPlatforn.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	Type
Value: 2
(PID) Process:	(4692) TXPlatforn.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	Start
Value: 1
(PID) Process:	(4692) TXPlatforn.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	ErrorControl
Value: 0
(PID) Process:	(4692) TXPlatforn.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	ImagePath
Value: system32\DRIVERS\QAssist.sys
(PID) Process:	(4692) TXPlatforn.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	DisplayName
Value: QAssist
(PID) Process:	(4692) TXPlatforn.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	Group
Value: FSFilter Activity Monitor
(PID) Process:	(4692) TXPlatforn.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	DependOnService
Value: FltMgr
(PID) Process:	(4692) TXPlatforn.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	DebugFlags
Value: 0
(PID) Process:	(4692) TXPlatforn.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:	write	Name:	SupportedFeatures
Value: 3

PID	Process	Filename		Type
4488	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchos.exe_95345e27e37364fea753b9e974c85f747b416d_efb276f5_0b9f0935-9b4a-4198-ba1b-39f84373ebdf\Report.wer		—
		MD5:—	SHA256:—
4120	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchos.exe_c7c228458ceec88fff268b845fe1698aecd56ab_efb276f5_411f3031-3fd0-4d71-ba6b-276aa04bad09\Report.wer		—
		MD5:—	SHA256:—
5972	5b73efe60ce4a31e0d4be12c608a08ce685eb11a6901b5a37e6a856dd21bcc7a.exe	C:\Program Files\CCleaner\CCleaner64.exe		—
		MD5:—	SHA256:—
5972	5b73efe60ce4a31e0d4be12c608a08ce685eb11a6901b5a37e6a856dd21bcc7a.exe			—
		MD5:—	SHA256:—
6700	svchost.exe	C:\Windows\SysWOW64\TXPlatforn.exe		executable
		MD5:A4329177954D4104005BCE3020E5EF59	SHA256:6156D003D54DCF2EE92F21BD6E7A6A7F91730BD2804381260BCABE465ABE6DDD
4692	TXPlatforn.exe	C:\Windows\System32\drivers\QAssist.sys		executable
		MD5:4E34C068E764AD0FF0CB58BC4F143197	SHA256:6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B
5972	5b73efe60ce4a31e0d4be12c608a08ce685eb11a6901b5a37e6a856dd21bcc7a.exe	C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe		—
		MD5:—	SHA256:—
5972	5b73efe60ce4a31e0d4be12c608a08ce685eb11a6901b5a37e6a856dd21bcc7a.exe	C:\Users\admin\AppData\Local\Temp\svchos.exe		executable
		MD5:3B377AD877A942EC9F60EA285F7119A2	SHA256:62954FDF65E629B39A29F539619D20691332184C6B6BE5A826128A8E759BFA84
5972	5b73efe60ce4a31e0d4be12c608a08ce685eb11a6901b5a37e6a856dd21bcc7a.exe	C:\Users\admin\AppData\Local\Temp\svchost.exe		executable
		MD5:A4329177954D4104005BCE3020E5EF59	SHA256:6156D003D54DCF2EE92F21BD6E7A6A7F91730BD2804381260BCABE465ABE6DDD
5972	5b73efe60ce4a31e0d4be12c608a08ce685eb11a6901b5a37e6a856dd21bcc7a.exe	C:\Users\admin\Desktop\HD_5b73efe60ce4a31e0d4be12c608a08ce685eb11a6901b5a37e6a856dd21bcc7a.exe		executable
		MD5:FB083ACD60FE5C3156DC25442BE815E3	SHA256:F130B3789962D5C8B59AA250D6F26AD5945928F3905B32BF65AA7BD30348A794

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4996	RUXIMICS.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	—	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4996	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4996	RUXIMICS.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
3284	svchost.exe	13.89.179.12:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
900	slui.exe	13.77.207.86:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1184	slui.exe	13.77.207.86:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	172.217.18.110	whitelisted
hackerinvasion.f3322.net	—	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
watson.events.data.microsoft.com	13.89.179.12	whitelisted
activation-v2.sls.microsoft.com	13.77.207.86	whitelisted

General Info

5b73efe60ce4a31e0d4be12c608a08ce685eb11a6901b5a37e6a856dd21bcc7a

3D0156E1F7FABBC3AF8A0063D86AE4D4

179047B99C4DBE290DE325A98995ADF485725EEB

5B73EFE60CE4A31E0D4BE12C608A08CE685EB11A6901B5A37E6A856DD21BCC7A

98304:WX5UXVxdjtPSVSg58bEvnB3H/eyJHEAsc3G1fC5RHxQUneevbG1AfhnxcANsZb7Z:AM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GH0ST mutex has been found

SAINBOX has been detected

Starts CMD.EXE for self-deleting

GH0ST has been detected

ZEGOST has been detected

SUSPICIOUS

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Executes as Windows Service

Starts CMD.EXE for commands execution

Hides command output

Application launched itself

Mutex name with non-standard characters

Runs PING.EXE to delay simulation

Creates or modifies Windows services

Creates files in the driver directory

Drops a system driver (possible attempt to evade defenses)

There is functionality for taking screenshot (YARA)

Executes application which crashes

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

The sample compiled with chinese language support

Creates files or folders in the user directory

The sample compiled with english language support

Checks proxy server information

UPX packer has been detected

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats