File name:

www.hgnghhngv.com

Full analysis: https://app.any.run/tasks/b24a2dbd-fa31-4308-8337-40e23a058a99
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: February 01, 2024, 07:30:08
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
remote
rat
gh0st
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

EE0D1967E6F6564CD19D9C30078CB893

SHA1:

F0DEE9141EB1C7653190C27F1881EAF96BBF5C26

SHA256:

C57646DB89CF3577B4488C84F0E71FC4041657EB6E52148915C358E0BE57665B

SSDEEP:

98304:zjNsizFBZT82kiigeiB5sSoK0SmmYr0Ca/FQWVMRLB9xxYyJAG/DgbYkz19lfTVc:ViIZ4DeXIZ4Deaqt7tqBxqt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • www.hgnghhngv.com.exe (PID: 5344)
      • NXYBankAssist.exe (PID: 3712)

    • Drops the executable file immediately after the start

      • www.hgnghhngv.com.exe (PID: 5344)

    • GH0ST has been detected (SURICATA)

      • NXYBankAssist.exe (PID: 3712)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • www.hgnghhngv.com.exe (PID: 5344)

    • Process drops legitimate windows executable

      • www.hgnghhngv.com.exe (PID: 5344)

    • Reads the Internet Settings

      • www.hgnghhngv.com.exe (PID: 5344)
      • Notepad.exe (PID: 1776)

    • Reads the date of Windows installation

      • www.hgnghhngv.com.exe (PID: 5344)

    • Executable content was dropped or overwritten

      • www.hgnghhngv.com.exe (PID: 5344)

    • The process drops C-runtime libraries

      • www.hgnghhngv.com.exe (PID: 5344)

    • Starts CMD.EXE for commands execution

      • www.hgnghhngv.com.exe (PID: 5344)

    • Executing commands from a ".bat" file

      • www.hgnghhngv.com.exe (PID: 5344)

    • Executes application which crashes

      • Client.exe (PID: 5632)

    • Application launched itself

      • NXYBankAssist.exe (PID: 4236)

    • Connects to unusual port

      • NXYBankAssist.exe (PID: 3712)

  • INFO

    • Checks supported languages

      • www.hgnghhngv.com.exe (PID: 5344)
      • Notepad.exe (PID: 1776)
      • Client.exe (PID: 5632)
      • NXYBankAssist.exe (PID: 4236)
      • NXYBankAssist.exe (PID: 3712)

    • Reads the computer name

      • www.hgnghhngv.com.exe (PID: 5344)
      • Notepad.exe (PID: 1776)
      • NXYBankAssist.exe (PID: 3712)
      • NXYBankAssist.exe (PID: 4236)

    • Create files in a temporary directory

      • www.hgnghhngv.com.exe (PID: 5344)

    • Creates files in the program directory

      • www.hgnghhngv.com.exe (PID: 5344)

    • Reads Environment values

      • www.hgnghhngv.com.exe (PID: 5344)

    • Reads the Internet Settings

      • WerFault.exe (PID: 1020)

    • Checks proxy server information

      • WerFault.exe (PID: 1020)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 1020)

    • Reads CPU info

      • NXYBankAssist.exe (PID: 3712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:12:27 16:47:44+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 460288
InitializedDataSize: 167424
UninitializedDataSize: -
EntryPoint: 0x529af
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 6.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: M
FileDescription: 149
FileVersion: 6.0.0.0
LegalCopyright: M
ProductVersion: 6, 0, 0, 0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start www.hgnghhngv.com.exe notepad.exe no specs cmd.exe no specs conhost.exe no specs client.exe nxybankassist.exe no specs werfault.exe #GH0ST nxybankassist.exe www.hgnghhngv.com.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 260C:\Windows\SysWOW64\WerFault.exe
Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1776"C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2205.11.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe" "C:\Program Files\149\н¨Îı¾Îĵµ.txt"C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2205.11.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exewww.hgnghhngv.com.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\windowsapps\microsoft.windowsnotepad_11.2205.11.0_x64__8wekyb3d8bbwe\notepad\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
3712"C:\Program Files\149\NXYBankAssist.exe"C:\Program Files\149\NXYBankAssist.exe
NXYBankAssist.exe
User:
admin
Company:
税友软件集团股份有限公司
Integrity Level:
HIGH
Exit code:
0
Version:
3.0.124.2836
Modules
Images
c:\program files\149\nxybankassist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
4236"NXYBankAssist.exe" -hp C:\Program Files\149\NXYBankAssist.execmd.exe
User:
admin
Company:
税友软件集团股份有限公司
Integrity Level:
HIGH
Exit code:
0
Version:
3.0.124.2836
Modules
Images
c:\program files\149\nxybankassist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
4852"C:\Users\admin\Desktop\www.hgnghhngv.com.exe" C:\Users\admin\Desktop\www.hgnghhngv.com.exeexplorer.exe
User:
admin
Company:
M
Integrity Level:
MEDIUM
Description:
149
Exit code:
3221226540
Version:
6.0.0.0
Modules
Images
c:\users\admin\desktop\www.hgnghhngv.com.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4932C:\Windows\system32\cmd.exe /c ""C:\Program Files\149\н¨ Îı¾Îĵµ.bat" "C:\Windows\SysWOW64\cmd.exewww.hgnghhngv.com.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5344"C:\Users\admin\Desktop\www.hgnghhngv.com.exe" C:\Users\admin\Desktop\www.hgnghhngv.com.exe
explorer.exe
User:
admin
Company:
M
Integrity Level:
HIGH
Description:
149
Exit code:
0
Version:
6.0.0.0
Modules
Images
c:\users\admin\desktop\www.hgnghhngv.com.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5632"Client.exe" -hp C:\Program Files\149\Client.exe
cmd.exe
User:
admin
Company:
腾讯计算机系统有限公司
Integrity Level:
HIGH
Description:
腾讯游戏登录程序
Exit code:
3221225477
Version:
4.0.23.5
Modules
Images
c:\program files\149\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
6068\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
4 530
Read events
4 515
Write events
12
Delete events
3

Modification events

(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5344) www.hgnghhngv.com.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults
Operation:writeName:data
Value:
D9A7A80101000300EC03F46F00000000010000000000000049A8A801010103005C4614A6000000000600000000000000D1A8A8010101030064B65611000000003500000000000000D1A8A80101010400FB3B54EB0000000007000000000000007545B801010002002972674D0000000001000000A4060000C8CCB9010100008092617636000000000300000015000000AFFBB9010100008055161AFB0000000001000000D72D00004428C30101000080469996A20000000004000000B60000004428C30104000100541F4AF40000000001000000000000009F49DD010100008045734BE1000000000E000000000000006A44DF010100008054528C5D00000000010000008900000081F7E10104000100C177129C000000000F0000000200000081F7E101040002002AF214C200000000030000003F000000D81BE20104000500FCAC50C7000000000100000000000000DA49E80101000080C483AE790000000001000000B30000008C5FF2010100030025B04D210000000001000000010000003D4A060201000080C39240F0000000000200000018000000564A060201000080784A674B000000000100000024000000BFDE08020100008065B49D6B00000000040000000D00000044240E020100008046DDF50500000000010000000200000044240E02040001005463A9570000000001000000000000005F37110201000080856D77FF00000000020000004000000088531E0203000100A5067F52000000000100000039000000A410270201000080260FB9F9000000000400000006000000
(PID) Process:(1020) WerFault.exeKey:\REGISTRY\A\{2b880773-8728-fd50-6072-f6c60db1c527}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(1020) WerFault.exeKey:\REGISTRY\A\{2b880773-8728-fd50-6072-f6c60db1c527}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
16
Suspicious files
10
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
5344www.hgnghhngv.com.exeC:\Users\admin\AppData\Local\Temp\20240201073034174~YingInstall-Language.initext
MD5:471452893A08C3CD834A0CDBF4899D95
SHA256:BD6AABB0EA4D6BFC517B721C17ABA42BE54B6C7DE94FB20254824423458385BF
5344www.hgnghhngv.com.exeC:\Program Files\149\ClientBase.dllexecutable
MD5:9D4F8E7860E4B39C50F071F571667BD8
SHA256:482C154D2145B3B9755BA96DF529F1D85C33A2BDA4A11CEF5C3F7C11086747AC
5344www.hgnghhngv.com.exeC:\Windows\SysWOW64\Ying-UnInstall.exeexecutable
MD5:3F181BC8FBDD6F49A5961D167B9A8074
SHA256:C4FE7B9D5549A0686AD7F6D584EF770BD523396386D7D4187DB564058D74CDA0
5344www.hgnghhngv.com.exeC:\Users\admin\AppData\Local\Temp\20240201073034174~YingInstall-TopFramePicture.bmpimage
MD5:A528A1EFB19F5BEE2FA74CD8650DAB24
SHA256:D9295A5E215CF9F1C2DD5B9AA5DEB1EE46619202B5814296CA73777506846608
5344www.hgnghhngv.com.exeC:\Users\admin\AppData\Local\Temp\YingInstall20240201073034174.xmlxml
MD5:6A16E47D527746E1821BE6D17E2110D8
SHA256:84F6053BF83AFA51E94817AD5A92F4BEF741FEE1BC9ED14D7674AA53A7BCFF72
5344www.hgnghhngv.com.exeC:\Windows\SysWOW64\YingInstall\409.initext
MD5:A18325A9C13BB4F95215286F5436C591
SHA256:70E5FF11C7086CF7DCEC81A908A205F4A2ED247FADE519E75D8E1A12AC0A9585
5344www.hgnghhngv.com.exeC:\Program Files\149\1.ttfexecutable
MD5:DED0DF030A8A9B39A769AA6FAE9C6AAA
SHA256:F5DBE62E3340FBB50A1C5B3C54BC97ECA0B54EDC965EDE95D18B5968C5A7C881
5344www.hgnghhngv.com.exeC:\Program Files\149\EPLib.bplexecutable
MD5:120DC5EE6553F3690B457ACB3054D77D
SHA256:A0E14C10AA40BCC44ED38E2F7E5E47F496F0B7CE28058AD83DC8697C056BD14C
5344www.hgnghhngv.com.exeC:\Program Files\149\adortl70.bplexecutable
MD5:967E7EAC49ECAB6A44DCE09B1EBCFBA9
SHA256:C3B7000CFB70B7D8ADE94B37C6CF1069CFF7242AF797C80726CACD22302D7BDF
5344www.hgnghhngv.com.exeC:\Users\admin\AppData\Local\Temp\20240201073034174~YingInstall-WelcomeWndPicture.bmpimage
MD5:890E7011519B59C41ECB2C94035C2179
SHA256:3B1A1E3D46F1AE4F81ADFC4E93F929F26537983CF245B45CB92E3B9444B2E056
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
27
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1020
WerFault.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1277bed07dd4f5e1
unknown
compressed
4.66 Kb
unknown
1412
svchost.exe
GET
200
2.16.164.42:80
http://www.msftconnecttest.com/connecttest.txt
unknown
text
22 b
unknown
3752
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2664
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4588
svchost.exe
239.255.255.250:1900
unknown
5180
msedge.exe
224.0.0.251:5353
unknown
1412
svchost.exe
2.16.164.35:80
Akamai International B.V.
NL
unknown
5944
svchost.exe
2.18.97.153:443
Akamai International B.V.
FR
unknown
1020
WerFault.exe
20.189.173.21:443
umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1020
WerFault.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3712
NXYBankAssist.exe
206.238.199.149:2021
TERAEXCH
ZA
unknown
3752
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3752
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
umwatson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.74
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted

Threats

PID
Process
Class
Message
3712
NXYBankAssist.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT Server Null Response TCP (Gh0stCringe)
1412
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
www.hgnghhngv.com