File name:	ce1db5a120b5b6e14fa63cee7ceed1d7a14cf470fcbedd18f4a4916f0c4be76b
Full analysis:	https://app.any.run/tasks/9ff1f470-615b-4e0e-993d-367d97833040
Verdict:	Malicious activity
Threats:	Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 18:26:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	gh0st rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	2884296560844C92381D8DF21492163A
SHA1:	EC085415E5AF474FF092F5FEB829BBDCBA6C44B5
SHA256:	CE1DB5A120B5B6E14FA63CEE7CEED1D7A14CF470FCBEDD18F4A4916F0C4BE76B
SSDEEP:	49152:TJ6/C6ZCvN7z88988NtMJ+HyH9bv4Y6BBBBBD2CPc/oouuEsoGc7BWVMtwkaCg9w:l6/C6ZM6+y9v4o/EgZSQSh54g

.exe	\|	Win32 Executable MS Visual C++ (generic) (35.8)
.exe	\|	Win64 Executable (generic) (31.7)
.scr	\|	Windows screen saver (15)
.dll	\|	Win32 Dynamic Link Library (generic) (7.5)
.exe	\|	Win32 Executable (generic) (5.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:12:26 00:25:29+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	57344
InitializedDataSize:	512000
UninitializedDataSize:	-
EntryPoint:	0xb2656
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(3640) ce1db5a120b5b6e14fa63cee7ceed1d7a14cf470fcbedd18f4a4916f0c4be76b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:	write	Name:	LastUpdate
Value: 75F9566800000000
(PID) Process:	(3640) ce1db5a120b5b6e14fa63cee7ceed1d7a14cf470fcbedd18f4a4916f0c4be76b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(4880) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(2808) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000

PID	Process	Filename		Type
3640	ce1db5a120b5b6e14fa63cee7ceed1d7a14cf470fcbedd18f4a4916f0c4be76b.exe	C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe		executable
		MD5:DB73A8800B882B85722AAA21B16EAD4F	SHA256:100507CCCE81F46A3190EAC5AF6098D8987F3332F5B413C09FE0C1CCA445AAB7
3640	ce1db5a120b5b6e14fa63cee7ceed1d7a14cf470fcbedd18f4a4916f0c4be76b.exe	C:\Users\admin\AppData\Roaming\svchcst.exe		executable
		MD5:2884296560844C92381D8DF21492163A	SHA256:CE1DB5A120B5B6E14FA63CEE7CEED1D7A14CF470FCBEDD18F4A4916F0C4BE76B
3640	ce1db5a120b5b6e14fa63cee7ceed1d7a14cf470fcbedd18f4a4916f0c4be76b.exe	C:\Users\admin\AppData\Roaming\Microsoft\Config.ini		text
		MD5:67B9B3E2DED7086F393EBBC36C5E7BCA	SHA256:44063C266686263F14CD2A83FEE124FB3E61A9171A6AAB69709464F49511011D
3640	ce1db5a120b5b6e14fa63cee7ceed1d7a14cf470fcbedd18f4a4916f0c4be76b.exe	C:\Users\admin\AppData\Roaming\Microsoft\VBS3.vbs		text
		MD5:C69A538BF8AA952477AE9CC60BCEA949	SHA256:61D0B6C29AE7585F874A93AC5385C71E3B60D8D05DE53536B7E75D82A812EAE5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6876	RUXIMICS.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6876	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.23:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	20.190.159.64:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.31.130:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	—	—	whitelisted
—	—	POST	400	20.190.159.75:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6876	RUXIMICS.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6876	RUXIMICS.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
login.live.com	20.190.159.23 20.190.159.129 40.126.31.73 20.190.159.128 20.190.159.71 20.190.159.75 40.126.31.130 20.190.159.64	whitelisted
nexusrules.officeapps.live.com	52.111.227.11	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted

General Info

ce1db5a120b5b6e14fa63cee7ceed1d7a14cf470fcbedd18f4a4916f0c4be76b

2884296560844C92381D8DF21492163A

EC085415E5AF474FF092F5FEB829BBDCBA6C44B5

CE1DB5A120B5B6E14FA63CEE7CEED1D7A14CF470FCBEDD18F4A4916F0C4BE76B

49152:TJ6/C6ZCvN7z88988NtMJ+HyH9bv4Y6BBBBBD2CPc/oouuEsoGc7BWVMtwkaCg9w:l6/C6ZM6+y9v4o/EgZSQSh54g

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GH0ST mutex has been found

Uses sleep, probably for evasion detection (SCRIPT)

SUSPICIOUS

Reads security settings of Internet Explorer

The process executes VB scripts

Executable content was dropped or overwritten

Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

Executes WMI query (SCRIPT)

Runs shell command (SCRIPT)

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files or folders in the user directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings