File name:

67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d

Full analysis: https://app.any.run/tasks/a58414e2-670d-4c9c-b1d7-8dbd610ef74e
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 06:55:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
gh0st
rat
rdp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

6E5A82F4B73384F33A083108D143FA3B

SHA1:

18EB4A6BA1A260DF41F04637646B92847D04F909

SHA256:

67F23D0D37D756D166938082798B7669B2DAD0B7BC7121C75977FF25BA11302D

SSDEEP:

49152:a33kxULl1NZDqWQg7+88988NthyUKL6qM+Dot9sEJTpSHSu5Z/Zqvu:a3UxULl1NZDNlkmnlotSQTpSHSu5/z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GH0ST mutex has been found

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 768)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • Reads security settings of Internet Explorer

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 768)

    • The process executes VB scripts

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 768)

    • There is functionality for enable RDP (YARA)

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • There is functionality for taking screenshot (YARA)

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • Connects to unusual port

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

  • INFO

    • Checks supported languages

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • Reads the computer name

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • Creates files or folders in the user directory

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • Process checks computer location settings

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • The sample compiled with chinese language support

      • 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe (PID: 516)

    • Checks proxy server information

      • slui.exe (PID: 1324)

    • Reads the software policy settings

      • slui.exe (PID: 1324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:25 19:27:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 880640
InitializedDataSize: 679936
UninitializedDataSize: -
EntryPoint: 0xb5a39
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: Windows 配置程序
ProductName: Windows 核心进程
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GH0ST 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe wscript.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\Desktop\67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe" C:\Users\admin\Desktop\67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
768"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs" C:\Windows\SysWOW64\wscript.exe67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1324C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 674
Read events
5 673
Write events
1
Delete events
0

Modification events

(PID) Process:(516) 67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
51667f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exeC:\Users\admin\AppData\Roaming\svchcst.exeexecutable
MD5:6E5A82F4B73384F33A083108D143FA3B
SHA256:67F23D0D37D756D166938082798B7669B2DAD0B7BC7121C75977FF25BA11302D
51667f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exeC:\Users\admin\AppData\Roaming\Microsoft\svchcst.exeexecutable
MD5:D8C240D9CF98157E21BB413792419F3C
SHA256:ABBCF585A6F9A2991216375E2E6465633FB10B5126436334491EEB35CDA1B259
51667f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exeC:\Users\admin\AppData\Roaming\Microsoft\Config.initext
MD5:920CF412B7EE0697EB7E87417C24272D
SHA256:3A0BD8B10505EA2FECF3A7FE01897ABB1D14042980281C403CF2D9DCD1851FF1
51667f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exeC:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbstext
MD5:DFF5D4C7FC5F0BF1FBB9AC0D7D64B12A
SHA256:52D8E4E1D2E0F7E8F848AA03B224F23D25EE376DBDAB89595C73C09D21DDBC83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
56
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3668
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3668
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
40.126.31.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.75:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3668
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3668
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
516
67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d.exe
192.168.142.201:8282
unknown
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.22
  • 20.190.160.5
  • 40.126.32.133
  • 20.190.160.4
  • 40.126.32.138
  • 40.126.32.134
  • 20.190.160.130
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
67f23d0d37d756d166938082798b7669b2dad0b7bc7121c75977ff25ba11302d