Malware Analysis Report

2025-08-10 20:04

Sample ID 250704-n73vrahj3v
Target 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys
SHA256 429655c9f3d26e252771078cc17f4098a63961104546832a8f31ff2610e14e21
Tags
gh0strat discovery persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

429655c9f3d26e252771078cc17f4098a63961104546832a8f31ff2610e14e21

Threat Level: Known bad

The file 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys was found to be: Known bad.

Malicious Activity Summary

gh0strat discovery persistence rat spyware stealer

Gh0st RAT payload

Gh0strat family

Gh0strat

Server Software Component: Terminal Services DLL

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:03

Reported

2025-07-04 12:05

Platform

win10v2004-20250610-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\240614484.bat" C:\Users\Admin\AppData\Local\Temp\GLk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GLk.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchist.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\svchist.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\svchist.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\240614484.bat C:\Users\Admin\AppData\Local\Temp\GLk.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\GLk.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GLk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchist.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe C:\Users\Admin\AppData\Local\Temp\GLk.exe
PID 2700 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe C:\Users\Admin\AppData\Local\Temp\GLk.exe
PID 2700 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe C:\Users\Admin\AppData\Local\Temp\GLk.exe
PID 2700 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
PID 2700 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
PID 1688 wrote to memory of 4236 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchist.exe
PID 1688 wrote to memory of 4236 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchist.exe
PID 1688 wrote to memory of 4236 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe"

C:\Users\Admin\AppData\Local\Temp\GLk.exe

C:\Users\Admin\AppData\Local\Temp\\GLk.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchist"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "svchist"

C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe

C:\Users\Admin\AppData\Local\Temp\\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe

C:\Windows\SysWOW64\svchist.exe

C:\Windows\system32\svchist.exe "c:\windows\system32\240614484.bat",MainThread

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp
US 8.8.8.8:53 kinh.xmcxmr.com udp

Files

C:\Users\Admin\AppData\Local\Temp\GLk.exe

MD5 b8e58a96761799f4ad0548dba39d650c
SHA1 c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f
SHA256 334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df
SHA512 1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

C:\Windows\SysWOW64\240614484.bat

MD5 4770b45407d16f634d6f7372fd4f4f21
SHA1 4a328ad36caa3d20dec848e2b130f629e7653a3c
SHA256 ac4ad3e56d7586c8db65784166d9b7ac152cab28a7f8a9d51c08982c82cdb664
SHA512 a8cc0ba3f2a390ca7a069af33c4f5dfa63e926e2d9f9a35dac963b1d322b0a8dcd9f77b164b207f35e353c9c0daca3f570ad7fd2232ae7b36f789f81769e40a9

C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe

MD5 4a03b5d8185c3f03aa8719f3736f36d5
SHA1 6c8dc57a6e8449204958e2f7bfa0dbe711a9212c
SHA256 2064eddb0b12f9e8ad4b7cfb18ba9a8b887da8ea0bc0fa2dbcb8b268a5069b25
SHA512 ba4b9f1b6acb31766a8016eba4a214e432289df62b088a3d7880929d24f9bb90067a22a66dc8241c2997c14c1d286c541216c4b914a9a5f48644d623ef21579e

C:\Windows\SysWOW64\svchist.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 b963d35b9e913267f7f798c109f91440
SHA1 9d3752592356de28d4e5868a3893ea63b01eca52
SHA256 3ff885db97bb18ce2c69b7413c464805a918bd88e3d669724b14586af7b44d31
SHA512 1afdd2f0740ece600be7f2e8cbb19926e34a6230ba95338f9440777da5a09ec9fd8f6e7f226cb8c34826d9a80f72fc50d34872369353fc84158342aa152dd584