File name:

www.hgnghhngv.com

Full analysis: https://app.any.run/tasks/b24a2dbd-fa31-4308-8337-40e23a058a99
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: February 01, 2024, 07:30:08
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
remote
rat
gh0st
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

EE0D1967E6F6564CD19D9C30078CB893

SHA1:

F0DEE9141EB1C7653190C27F1881EAF96BBF5C26

SHA256:

C57646DB89CF3577B4488C84F0E71FC4041657EB6E52148915C358E0BE57665B

SSDEEP:

98304:zjNsizFBZT82kiigeiB5sSoK0SmmYr0Ca/FQWVMRLB9xxYyJAG/DgbYkz19lfTVc:ViIZ4DeXIZ4Deaqt7tqBxqt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • www.hgnghhngv.com.exe (PID: 5344)

    • Creates a writable file in the system directory

      • www.hgnghhngv.com.exe (PID: 5344)
      • NXYBankAssist.exe (PID: 3712)

    • GH0ST has been detected (SURICATA)

      • NXYBankAssist.exe (PID: 3712)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • www.hgnghhngv.com.exe (PID: 5344)

    • Reads the Internet Settings

      • www.hgnghhngv.com.exe (PID: 5344)
      • Notepad.exe (PID: 1776)

    • Reads the date of Windows installation

      • www.hgnghhngv.com.exe (PID: 5344)

    • Reads the Windows owner or organization settings

      • www.hgnghhngv.com.exe (PID: 5344)

    • Starts CMD.EXE for commands execution

      • www.hgnghhngv.com.exe (PID: 5344)

    • The process drops C-runtime libraries

      • www.hgnghhngv.com.exe (PID: 5344)

    • Executable content was dropped or overwritten

      • www.hgnghhngv.com.exe (PID: 5344)

    • Executing commands from a ".bat" file

      • www.hgnghhngv.com.exe (PID: 5344)

    • Executes application which crashes

      • Client.exe (PID: 5632)

    • Application launched itself

      • NXYBankAssist.exe (PID: 4236)

    • Connects to unusual port

      • NXYBankAssist.exe (PID: 3712)

  • INFO

    • Reads the computer name

      • www.hgnghhngv.com.exe (PID: 5344)
      • Notepad.exe (PID: 1776)
      • NXYBankAssist.exe (PID: 4236)
      • NXYBankAssist.exe (PID: 3712)

    • Checks supported languages

      • www.hgnghhngv.com.exe (PID: 5344)
      • Notepad.exe (PID: 1776)
      • Client.exe (PID: 5632)
      • NXYBankAssist.exe (PID: 4236)
      • NXYBankAssist.exe (PID: 3712)

    • Create files in a temporary directory

      • www.hgnghhngv.com.exe (PID: 5344)

    • Creates files in the program directory

      • www.hgnghhngv.com.exe (PID: 5344)

    • Reads Environment values

      • www.hgnghhngv.com.exe (PID: 5344)

    • Checks proxy server information

      • WerFault.exe (PID: 1020)

    • Reads the Internet Settings

      • WerFault.exe (PID: 1020)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 1020)

    • Reads CPU info

      • NXYBankAssist.exe (PID: 3712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:12:27 16:47:44+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 460288
InitializedDataSize: 167424
UninitializedDataSize: -
EntryPoint: 0x529af
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 6.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: M
FileDescription: 149
FileVersion: 6.0.0.0
LegalCopyright: M
ProductVersion: 6, 0, 0, 0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start www.hgnghhngv.com.exe notepad.exe no specs cmd.exe no specs conhost.exe no specs client.exe nxybankassist.exe no specs werfault.exe #GH0ST nxybankassist.exe www.hgnghhngv.com.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 260C:\Windows\SysWOW64\WerFault.exe
Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1776"C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2205.11.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe" "C:\Program Files\149\н¨Îı¾Îĵµ.txt"C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2205.11.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exewww.hgnghhngv.com.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\windowsapps\microsoft.windowsnotepad_11.2205.11.0_x64__8wekyb3d8bbwe\notepad\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
3712"C:\Program Files\149\NXYBankAssist.exe"C:\Program Files\149\NXYBankAssist.exe
NXYBankAssist.exe
User:
admin
Company:
税友软件集团股份有限公司
Integrity Level:
HIGH
Exit code:
0
Version:
3.0.124.2836
Modules
Images
c:\program files\149\nxybankassist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
4236"NXYBankAssist.exe" -hp C:\Program Files\149\NXYBankAssist.execmd.exe
User:
admin
Company:
税友软件集团股份有限公司
Integrity Level:
HIGH
Exit code:
0
Version:
3.0.124.2836
Modules
Images
c:\program files\149\nxybankassist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
4852"C:\Users\admin\Desktop\www.hgnghhngv.com.exe" C:\Users\admin\Desktop\www.hgnghhngv.com.exeexplorer.exe
User:
admin
Company:
M
Integrity Level:
MEDIUM
Description:
149
Exit code:
3221226540
Version:
6.0.0.0
Modules
Images
c:\users\admin\desktop\www.hgnghhngv.com.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4932C:\Windows\system32\cmd.exe /c ""C:\Program Files\149\н¨ Îı¾Îĵµ.bat" "C:\Windows\SysWOW64\cmd.exewww.hgnghhngv.com.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5344"C:\Users\admin\Desktop\www.hgnghhngv.com.exe" C:\Users\admin\Desktop\www.hgnghhngv.com.exe
explorer.exe
User:
admin
Company:
M
Integrity Level:
HIGH
Description:
149
Exit code:
0
Version:
6.0.0.0
Modules
Images
c:\users\admin\desktop\www.hgnghhngv.com.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5632"Client.exe" -hp C:\Program Files\149\Client.exe
cmd.exe
User:
admin
Company:
腾讯计算机系统有限公司
Integrity Level:
HIGH
Description:
腾讯游戏登录程序
Exit code:
3221225477
Version:
4.0.23.5
Modules
Images
c:\program files\149\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
6068\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
4 530
Read events
4 515
Write events
12
Delete events
3

Modification events

(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults
Operation:writeName:data
Value:
D9A7A80101000300EC03F46F00000000010000000000000049A8A801010103005C4614A6000000000600000000000000D1A8A8010101030064B65611000000003500000000000000D1A8A80101010400FB3B54EB0000000007000000000000007545B801010002002972674D0000000001000000A4060000C8CCB9010100008092617636000000000300000015000000AFFBB9010100008055161AFB0000000001000000D72D00004428C30101000080469996A20000000004000000B60000004428C30104000100541F4AF40000000001000000000000009F49DD010100008045734BE1000000000E000000000000006A44DF010100008054528C5D00000000010000008900000081F7E10104000100C177129C000000000F0000000200000081F7E101040002002AF214C200000000030000003F000000D81BE20104000500FCAC50C7000000000100000000000000DA49E80101000080C483AE790000000001000000B30000008C5FF2010100030025B04D210000000001000000010000003D4A060201000080C39240F0000000000200000018000000564A060201000080784A674B000000000100000024000000BFDE08020100008065B49D6B00000000040000000D00000044240E020100008046DDF50500000000010000000200000044240E02040001005463A9570000000001000000000000005F37110201000080856D77FF00000000020000004000000088531E0203000100A5067F52000000000100000039000000A410270201000080260FB9F9000000000400000006000000
(PID) Process:(1020) WerFault.exeKey:\REGISTRY\A\{2b880773-8728-fd50-6072-f6c60db1c527}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(1020) WerFault.exeKey:\REGISTRY\A\{2b880773-8728-fd50-6072-f6c60db1c527}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
16
Suspicious files
10
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
5344www.hgnghhngv.com.exeC:\Users\admin\AppData\Local\Temp\20240201073034174~YingInstall-TopFramePicture.bmpimage
MD5:A528A1EFB19F5BEE2FA74CD8650DAB24
SHA256:D9295A5E215CF9F1C2DD5B9AA5DEB1EE46619202B5814296CA73777506846608
5344www.hgnghhngv.com.exeC:\Users\admin\AppData\Local\Temp\20240201073034174~YingInstall-Language.initext
MD5:471452893A08C3CD834A0CDBF4899D95
SHA256:BD6AABB0EA4D6BFC517B721C17ABA42BE54B6C7DE94FB20254824423458385BF
5344www.hgnghhngv.com.exeC:\Program Files\149\adortl70.bplexecutable
MD5:967E7EAC49ECAB6A44DCE09B1EBCFBA9
SHA256:C3B7000CFB70B7D8ADE94B37C6CF1069CFF7242AF797C80726CACD22302D7BDF
5344www.hgnghhngv.com.exeC:\Program Files\149\EPLib.bplexecutable
MD5:120DC5EE6553F3690B457ACB3054D77D
SHA256:A0E14C10AA40BCC44ED38E2F7E5E47F496F0B7CE28058AD83DC8697C056BD14C
5344www.hgnghhngv.com.exeC:\Program Files\149\dbrtl70.bplbinary
MD5:398DCE3B0CAA23CD6F73AD390324068C
SHA256:5B0FBCD19012ADE9E2AE4407E0875CFAF983655338F0DD5AE343AEB4F73693F7
5344www.hgnghhngv.com.exeC:\Program Files\149\Lua51.dllexecutable
MD5:127D5BF484AD700A335AF409180E219D
SHA256:73971F9B4C5C1EE56205A0BBC07075F5E0E6D6C2DA5357B99B7824628C5FF0D9
5344www.hgnghhngv.com.exeC:\Program Files\149\NXYBankAssist.exeexecutable
MD5:24817F01D849A31B87D9FCF5B23FD7FD
SHA256:27380A9A8E761F13A17AC3237BC8DF19CD180F3366E58C7B6EB7F1B176488A15
5344www.hgnghhngv.com.exeC:\Program Files\149\ClientBase.dllexecutable
MD5:9D4F8E7860E4B39C50F071F571667BD8
SHA256:482C154D2145B3B9755BA96DF529F1D85C33A2BDA4A11CEF5C3F7C11086747AC
5344www.hgnghhngv.com.exeC:\Program Files\149\common.dllexecutable
MD5:C6C7113CAEA9AA58A53F596A59125E24
SHA256:5834DE3359FD6ACC9C1509E7B014FF79980AA9435290C6ECFE768BFE6D501079
5344www.hgnghhngv.com.exeC:\Program Files\149\rtl70.bplexecutable
MD5:451CA77630FE988FF8EF61156420E815
SHA256:DEF377D776869B391754E2EF7E130650F8CA7A5913695B204D59ECF061117F98
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
27
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1020
WerFault.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1277bed07dd4f5e1
unknown
compressed
4.66 Kb
unknown
3752
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1412
svchost.exe
GET
200
2.16.164.42:80
http://www.msftconnecttest.com/connecttest.txt
unknown
text
22 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2664
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4588
svchost.exe
239.255.255.250:1900
unknown
5180
msedge.exe
224.0.0.251:5353
unknown
1412
svchost.exe
2.16.164.35:80
Akamai International B.V.
NL
unknown
5944
svchost.exe
2.18.97.153:443
Akamai International B.V.
FR
unknown
1020
WerFault.exe
20.189.173.21:443
umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1020
WerFault.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3712
NXYBankAssist.exe
206.238.199.149:2021
TERAEXCH
ZA
unknown
3752
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3752
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
umwatson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.74
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted

Threats

PID
Process
Class
Message
3712
NXYBankAssist.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT Server Null Response TCP (Gh0stCringe)
1412
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
www.hgnghhngv.com