Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:03

General

  • Target

    2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe

  • Size

    4.6MB

  • MD5

    8b8a860865fd30da6bd600b75a81f886

  • SHA1

    17d7980b889182aebdc6d57a0161b32a028c6f6e

  • SHA256

    429655c9f3d26e252771078cc17f4098a63961104546832a8f31ff2610e14e21

  • SHA512

    2b26d4d1a6ed64e82bdf623df8152ccff3c5292ea556b5ca61d41d4dbcaa3552137c04431aaf72a8496becf4cd6f3fdd9ec7367e69a03427fc5129f6aa87424a

  • SSDEEP

    98304:o1VVv28Dq4rX2c31lrWkhqc11RcopN2S7aAv:6tq4rX2c31lrWkhqc11RcMNXmAv

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Local\Temp\GLk.exe
      C:\Users\Admin\AppData\Local\Temp\\GLk.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:864
    • C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
      C:\Users\Admin\AppData\Local\Temp\\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:4328
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "svchist"
    1⤵
      PID:5800
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "svchist"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\SysWOW64\svchist.exe
        C:\Windows\system32\svchist.exe "c:\windows\system32\240614484.bat",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4236

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\GLk.exe

            Filesize

            337KB

            MD5

            b8e58a96761799f4ad0548dba39d650c

            SHA1

            c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f

            SHA256

            334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df

            SHA512

            1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

          • C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe

            Filesize

            3.3MB

            MD5

            4a03b5d8185c3f03aa8719f3736f36d5

            SHA1

            6c8dc57a6e8449204958e2f7bfa0dbe711a9212c

            SHA256

            2064eddb0b12f9e8ad4b7cfb18ba9a8b887da8ea0bc0fa2dbcb8b268a5069b25

            SHA512

            ba4b9f1b6acb31766a8016eba4a214e432289df62b088a3d7880929d24f9bb90067a22a66dc8241c2997c14c1d286c541216c4b914a9a5f48644d623ef21579e

          • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

            Filesize

            1.2MB

            MD5

            b963d35b9e913267f7f798c109f91440

            SHA1

            9d3752592356de28d4e5868a3893ea63b01eca52

            SHA256

            3ff885db97bb18ce2c69b7413c464805a918bd88e3d669724b14586af7b44d31

            SHA512

            1afdd2f0740ece600be7f2e8cbb19926e34a6230ba95338f9440777da5a09ec9fd8f6e7f226cb8c34826d9a80f72fc50d34872369353fc84158342aa152dd584

          • C:\Windows\SysWOW64\240614484.bat

            Filesize

            51KB

            MD5

            4770b45407d16f634d6f7372fd4f4f21

            SHA1

            4a328ad36caa3d20dec848e2b130f629e7653a3c

            SHA256

            ac4ad3e56d7586c8db65784166d9b7ac152cab28a7f8a9d51c08982c82cdb664

            SHA512

            a8cc0ba3f2a390ca7a069af33c4f5dfa63e926e2d9f9a35dac963b1d322b0a8dcd9f77b164b207f35e353c9c0daca3f570ad7fd2232ae7b36f789f81769e40a9

          • C:\Windows\SysWOW64\svchist.exe

            Filesize

            60KB

            MD5

            889b99c52a60dd49227c5e485a016679

            SHA1

            8fa889e456aa646a4d0a4349977430ce5fa5e2d7

            SHA256

            6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

            SHA512

            08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641