Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:03
Static task
static1
General
-
Target
2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
-
Size
4.6MB
-
MD5
8b8a860865fd30da6bd600b75a81f886
-
SHA1
17d7980b889182aebdc6d57a0161b32a028c6f6e
-
SHA256
429655c9f3d26e252771078cc17f4098a63961104546832a8f31ff2610e14e21
-
SHA512
2b26d4d1a6ed64e82bdf623df8152ccff3c5292ea556b5ca61d41d4dbcaa3552137c04431aaf72a8496becf4cd6f3fdd9ec7367e69a03427fc5129f6aa87424a
-
SSDEEP
98304:o1VVv28Dq4rX2c31lrWkhqc11RcopN2S7aAv:6tq4rX2c31lrWkhqc11RcMNXmAv
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000700000002427f-5.dat family_gh0strat -
Gh0strat family
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\240614484.bat" GLk.exe -
Executes dropped EXE 3 IoCs
pid Process 864 GLk.exe 4328 HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 4236 svchist.exe -
Loads dropped DLL 3 IoCs
pid Process 864 GLk.exe 1688 svchost.exe 4236 svchist.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\svchist.exe svchost.exe File opened for modification C:\Windows\SysWOW64\svchist.exe svchost.exe File created C:\Windows\SysWOW64\240614484.bat GLk.exe File opened for modification C:\Windows\SysWOW64\ini.ini GLk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GLk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2700 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 2700 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4328 HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2700 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 2700 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 4328 HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 4328 HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 4328 HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 4328 HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 4328 HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 4328 HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 4328 HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2700 wrote to memory of 864 2700 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 84 PID 2700 wrote to memory of 864 2700 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 84 PID 2700 wrote to memory of 864 2700 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 84 PID 2700 wrote to memory of 4328 2700 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 87 PID 2700 wrote to memory of 4328 2700 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe 87 PID 1688 wrote to memory of 4236 1688 svchost.exe 95 PID 1688 wrote to memory of 4236 1688 svchost.exe 95 PID 1688 wrote to memory of 4236 1688 svchost.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\GLk.exeC:\Users\Admin\AppData\Local\Temp\\GLk.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exeC:\Users\Admin\AppData\Local\Temp\\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4328
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchist"1⤵PID:5800
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchist"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\svchist.exeC:\Windows\system32\svchist.exe "c:\windows\system32\240614484.bat",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4236
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
337KB
MD5b8e58a96761799f4ad0548dba39d650c
SHA1c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f
SHA256334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df
SHA5121cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3
-
C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
Filesize3.3MB
MD54a03b5d8185c3f03aa8719f3736f36d5
SHA16c8dc57a6e8449204958e2f7bfa0dbe711a9212c
SHA2562064eddb0b12f9e8ad4b7cfb18ba9a8b887da8ea0bc0fa2dbcb8b268a5069b25
SHA512ba4b9f1b6acb31766a8016eba4a214e432289df62b088a3d7880929d24f9bb90067a22a66dc8241c2997c14c1d286c541216c4b914a9a5f48644d623ef21579e
-
Filesize
1.2MB
MD5b963d35b9e913267f7f798c109f91440
SHA19d3752592356de28d4e5868a3893ea63b01eca52
SHA2563ff885db97bb18ce2c69b7413c464805a918bd88e3d669724b14586af7b44d31
SHA5121afdd2f0740ece600be7f2e8cbb19926e34a6230ba95338f9440777da5a09ec9fd8f6e7f226cb8c34826d9a80f72fc50d34872369353fc84158342aa152dd584
-
Filesize
51KB
MD54770b45407d16f634d6f7372fd4f4f21
SHA14a328ad36caa3d20dec848e2b130f629e7653a3c
SHA256ac4ad3e56d7586c8db65784166d9b7ac152cab28a7f8a9d51c08982c82cdb664
SHA512a8cc0ba3f2a390ca7a069af33c4f5dfa63e926e2d9f9a35dac963b1d322b0a8dcd9f77b164b207f35e353c9c0daca3f570ad7fd2232ae7b36f789f81769e40a9
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641