File name:

d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c

Full analysis: https://app.any.run/tasks/a5c940f0-baa4-463c-baa2-98568a7a8b42
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: April 19, 2025, 21:51:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
remote
rat
gh0st
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

AB024B753D719130A602220DA7E68FD6

SHA1:

5B32F8E04A09BC7C47915B2688FF9656B7871D6F

SHA256:

D47417717A878AA63EC6BD53E54111E058242C764F7B70E4BAB1853D514D752C

SSDEEP:

12288:jKqhgjhin/B2hDWGhEVksO2SGjaiPQCfTifp6VZuNBfVVVVVVVVVVVVVVVVNVVVw:jKqhehin/B2hDWGhAODGjaiPP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GH0ST has been detected (SURICATA)

      • tapisrv.exe (PID: 7868)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe (PID: 7360)

    • Executable content was dropped or overwritten

      • d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe (PID: 7360)

    • The process drops C-runtime libraries

      • d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe (PID: 7360)

    • Reads security settings of Internet Explorer

      • d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe (PID: 7360)

    • Likely accesses (executes) a file from the Public directory

      • tapisrv.exe (PID: 7820)
      • tapisrv.exe (PID: 7868)

    • There is functionality for taking screenshot (YARA)

      • tapisrv.exe (PID: 7868)
      • tapisrv.exe (PID: 8016)

    • Contacting a server suspected of hosting an CnC

      • tapisrv.exe (PID: 7868)

    • Connects to unusual port

      • tapisrv.exe (PID: 7868)

  • INFO

    • The sample compiled with english language support

      • d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe (PID: 7360)

    • Checks supported languages

      • d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe (PID: 7360)
      • tapisrv.exe (PID: 7868)

    • Reads the computer name

      • d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe (PID: 7360)
      • tapisrv.exe (PID: 7868)

    • The sample compiled with chinese language support

      • d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe (PID: 7360)

    • Process checks computer location settings

      • d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe (PID: 7360)

    • Reads the machine GUID from the registry

      • tapisrv.exe (PID: 7868)

    • Manual execution by a user

      • tapisrv.exe (PID: 7968)
      • notepad.exe (PID: 8068)
      • tapisrv.exe (PID: 8016)
      • notepad.exe (PID: 8116)
      • notepad.exe (PID: 8156)
      • notepad.exe (PID: 7316)
      • notepad.exe (PID: 7264)
      • notepad.exe (PID: 2140)
      • notepad.exe (PID: 7200)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 8068)
      • notepad.exe (PID: 8116)
      • notepad.exe (PID: 8156)
      • notepad.exe (PID: 7264)
      • notepad.exe (PID: 2140)
      • notepad.exe (PID: 7200)
      • notepad.exe (PID: 7316)

    • Reads CPU info

      • tapisrv.exe (PID: 7868)

    • Checks proxy server information

      • slui.exe (PID: 7752)

    • Reads the software policy settings

      • slui.exe (PID: 7752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (34.8)
.exe | Win32 Executable MS Visual C++ (generic) (25.2)
.exe | Win64 Executable (generic) (22.3)
.scr | Windows screen saver (10.6)
.exe | Win32 Executable (generic) (3.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:10 14:16:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 266240
InitializedDataSize: 1060864
UninitializedDataSize: -
EntryPoint: 0xa7a6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
13
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe slui.exe tapisrv.exe no specs #GH0ST tapisrv.exe tapisrv.exe no specs tapisrv.exe notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2140"C:\WINDOWS\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\directui license.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7200"C:\WINDOWS\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\opencv license.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7264"C:\WINDOWS\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\duilib license.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7316"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Config.iniC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7360"C:\Users\admin\Desktop\d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe" C:\Users\admin\Desktop\d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7752C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7820"C:\Users\Public\McAfee\tapisrv.exe" C:\Users\Public\McAfee\tapisrv.exed47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe
User:
admin
Company:
巧课教育科技(深圳)有限公司
Integrity Level:
MEDIUM
Description:
巧课客户端
Exit code:
3221226540
Version:
2.0.0.0
Modules
Images
c:\users\public\mcafee\tapisrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7868"C:\Users\Public\McAfee\tapisrv.exe" C:\Users\Public\McAfee\tapisrv.exe
d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe
User:
admin
Company:
巧课教育科技(深圳)有限公司
Integrity Level:
HIGH
Description:
巧课客户端
Version:
2.0.0.0
Modules
Images
c:\users\public\mcafee\tapisrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7968"C:\Users\admin\Desktop\tapisrv.exe" C:\Users\admin\Desktop\tapisrv.exeexplorer.exe
User:
admin
Company:
巧课教育科技(深圳)有限公司
Integrity Level:
MEDIUM
Description:
巧课客户端
Exit code:
3221226540
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\tapisrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
8016"C:\Users\admin\Desktop\tapisrv.exe" C:\Users\admin\Desktop\tapisrv.exe
explorer.exe
User:
admin
Company:
巧课教育科技(深圳)有限公司
Integrity Level:
HIGH
Description:
巧课客户端
Exit code:
3221225781
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\tapisrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
5 302
Read events
5 302
Write events
0
Delete events
0

Modification events

No data
Executable files
45
Suspicious files
1
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\Downloads\utotu.dat
MD5:
SHA256:
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\McAfee\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:79EE4A2FCBE24E9A65106DE834CCDA4A
SHA256:9F7BDA59FAAFC8A455F98397A63A7F7D114EFC4E8A41808C791256EBF33C7613
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\McAfee\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:3F224766FE9B090333FDB43D5A22F9EA
SHA256:AE5E73416EB64BC18249ACE99F6847024ECEEA7CE9C343696C84196460F3A357
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\McAfee\alibabacloud-oss-cpp-sdk.dllexecutable
MD5:0AAEB781E651BE69F6D643A72B15C6CB
SHA256:E9359D5C42B6767D63525AE73EB194A88C3E68111CEE4EC1A2BDBB8ECF530BB9
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\McAfee\api-ms-win-crt-heap-l1-1-0.dllexecutable
MD5:1776A2B85378B27825CF5E5A3A132D9A
SHA256:675B1B82DD485CC8C8A099272DB9241D0D2A7F45424901F35231B79186EC47EE
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\McAfee\api-ms-win-core-synch-l1-2-0.dllexecutable
MD5:6E704280D632C2F8F2CADEFCAE25AD85
SHA256:758A2F9EF6908B51745DB50D89610FE1DE921D93B2DBEA919BFDBA813D5D8893
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\McAfee\api-ms-win-crt-convert-l1-1-0.dllexecutable
MD5:9DDEA3CC96E0FDD3443CC60D649931B3
SHA256:B7C3EBC36C84630A52D23D1C0E79D61012DFA44CDEBDF039AF31EC9E322845A5
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\McAfee\api-ms-win-crt-environment-l1-1-0.dllexecutable
MD5:39325E5F023EB564C87D30F7E06DFF23
SHA256:56D8B7EE7619579A3C648EB130C9354BA1BA5B33A07A4F350370EE7B3653749A
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\McAfee\api-ms-win-crt-locale-l1-1-0.dllexecutable
MD5:034379BCEA45EB99DB8CDFEACBC5E281
SHA256:8B543B1BB241F5B773EB76F652DAD7B12E3E4A09230F2E804CD6B0622E8BAF65
7360d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exeC:\Users\Public\Downloads\rtihr.datcompressed
MD5:6A068A1C5E024FFFF14E7DA0E94F10C2
SHA256:20B9DAD18D70FD0FF2A78A1D1E5505B43CA1E0EBB997403DE324C1B233441C6F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
27
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7360
d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe
GET
200
27.124.44.75:80
http://download.linuxroot.site/download/6108.dat
unknown
unknown
2104
svchost.exe
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7868
tapisrv.exe
GET
14.128.50.89:80
http://da.jib-a.com/
unknown
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7360
d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c.exe
27.124.44.75:80
download.linuxroot.site
BGPNET Global ASN
SG
unknown
2104
svchost.exe
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6808
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7868
tapisrv.exe
14.128.50.89:80
da.jib-a.com
BGPNET Global ASN
SG
unknown
2196
svchost.exe
224.0.0.252:5355
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
download.linuxroot.site
  • 27.124.44.75
unknown
crl.microsoft.com
  • 23.216.77.19
  • 23.216.77.6
  • 23.216.77.36
  • 23.216.77.8
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
da.jib-a.com
  • 14.128.50.89
unknown

Threats

PID
Process
Class
Message
7868
tapisrv.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
7868
tapisrv.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Gh0stRAT TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d47417717a878aa63ec6bd53e54111e058242c764f7b70e4bab1853d514d752c