analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

账单截屏20200222918,jрg.exe

Full analysis: https://app.any.run/tasks/cbb22ee6-660f-4846-84fa-04bee82b9121
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Analysis date: February 22, 2020, 14:14:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
gh0st
pcrat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

70A076BD68A4278095EB76B3C49969EC

SHA1:

B6138DCBCAB9809FA0E1DA4BAB21CD0DF2EAC54B

SHA256:

8BC7EDE32C79A921F8C3CD23AB8C1446678A0CDF91A744833B18B4057E0C4062

SSDEEP:

1536:c1xaOxLvm92M3oTbhN40E+qADqjnPql8R/r8c0Um4f0otC8G2EPbZgNOozgJ1JnH:+4Os8x20xxSGyH0Um43tfWbZEkHCjO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to CnC server

      • 账单截屏20200222918,jрg.exe (PID: 2548)
    • GH0ST was detected

      • 账单截屏20200222918,jрg.exe (PID: 2548)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • 账单截屏20200222918,jрg.exe (PID: 2548)
    • Connects to unusual port

      • 账单截屏20200222918,jрg.exe (PID: 2548)
    • Reads Internet Cache Settings

      • 账单截屏20200222918,jрg.exe (PID: 2548)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:02:20 07:42:25+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 86016
InitializedDataSize: 106496
UninitializedDataSize: -
EntryPoint: 0x4660
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: -
FileDescription: PictureGame Microsoft 基础类应用程序
FileVersion: 1, 0, 0, 1
InternalName: PictureGame
LegalCopyright: 版权所有 (C) 2006
LegalTrademarks: -
OriginalFileName: PictureGame.EXE
ProductName: PictureGame 应用程序
ProductVersion: 1, 0, 0, 1

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Feb-2020 06:42:25
Detected languages:
  • Chinese - PRC
CompanyName: -
FileDescription: PictureGame Microsoft 基础类应用程序
FileVersion: 1, 0, 0, 1
InternalName: PictureGame
LegalCopyright: 版权所有 (C) 2006
LegalTrademarks: -
OriginalFilename: PictureGame.EXE
ProductName: PictureGame 应用程序
ProductVersion: 1, 0, 0, 1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 20-Feb-2020 06:42:25
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00014AA2
0x00015000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.57378
.rdata
0x00016000
0x00004E3C
0x00005000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.78343
.data
0x0001B000
0x000111FC
0x0000E000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.74764
.rsrc
0x0002D000
0x00002028
0x00003000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.63396

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.54968
768
UNKNOWN
Chinese - PRC
RT_VERSION
2
2.74274
180
UNKNOWN
Chinese - PRC
RT_CURSOR
7
2.30475
74
UNKNOWN
Chinese - PRC
RT_STRING
100
3.65893
230
UNKNOWN
Chinese - PRC
RT_DIALOG
102
3.1271
88
UNKNOWN
Chinese - PRC
RT_DIALOG
129
3.57569
150
UNKNOWN
Chinese - PRC
RT_MENU
130
2.64095
62
UNKNOWN
Chinese - PRC
RT_DIALOG
3841
3.68399
80
UNKNOWN
Chinese - PRC
RT_STRING
3842
1.37932
44
UNKNOWN
Chinese - PRC
RT_STRING
3843
5.07447
120
UNKNOWN
Chinese - PRC
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
WINSPOOL.DRV
comdlg32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GH0ST 账单截屏20200222918,jрg.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2548"C:\Users\admin\Desktop\账单截屏20200222918,jрg.exe" C:\Users\admin\Desktop\账单截屏20200222918,jрg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PictureGame Microsoft 基础类应用程序
Version:
1, 0, 0, 1
1168C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\20200218002.jpgC:\Windows\System32\rundll32.exe账单截屏20200222918,jрg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
99
Read events
89
Write events
10
Delete events
0

Modification events

(PID) Process:(2548) 账单截屏20200222918,jрg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2548) 账单截屏20200222918,jрg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2548) 账单截屏20200222918,jрg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2548) 账单截屏20200222918,jрg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2548) 账单截屏20200222918,jрg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2548) 账单截屏20200222918,jрg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2548) 账单截屏20200222918,jрg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
rundll32.exe
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2548账单截屏20200222918,jрg.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\20200218002[1].jpgimage
MD5:5E3C86F0C0350CB1FBEFA0AE8B6A54A7
SHA256:0EDA6F9777C2901AB02687300715B0830224E8F28EBB0E283E70B311904F8F4C
2548账单截屏20200222918,jрg.exeC:\Users\admin\Desktop\20200218002.jpgimage
MD5:5E3C86F0C0350CB1FBEFA0AE8B6A54A7
SHA256:0EDA6F9777C2901AB02687300715B0830224E8F28EBB0E283E70B311904F8F4C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2548
账单截屏20200222918,jрg.exe
GET
200
137.220.135.60:80
http://137.220.135.60/20200218002.jpg
US
image
122 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2548
账单截屏20200222918,jрg.exe
137.220.135.60:80
Apogee Telecom Inc.
US
malicious
2548
账单截屏20200222918,jрg.exe
137.220.135.36:8000
Apogee Telecom Inc.
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2548
账单截屏20200222918,jрg.exe
A Network Trojan was detected
MALWARE [PTsecurity] YoungLotus
1 ETPRO signatures available at the full report
Process
Message
账单截屏20200222918,jрg.exe
½øÈëDLLMain