Analysis Overview
SHA256
429655c9f3d26e252771078cc17f4098a63961104546832a8f31ff2610e14e21
Threat Level: Known bad
The file 2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat family
Gh0strat
Server Software Component: Terminal Services DLL
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:03
Reported
2025-07-04 12:05
Platform
win10v2004-20250610-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\240614484.bat" | C:\Users\Admin\AppData\Local\Temp\GLk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchist.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchist.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\svchist.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchist.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\240614484.bat | C:\Users\Admin\AppData\Local\Temp\GLk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\GLk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe"
C:\Users\Admin\AppData\Local\Temp\GLk.exe
C:\Users\Admin\AppData\Local\Temp\\GLk.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
C:\Users\Admin\AppData\Local\Temp\\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
C:\Windows\SysWOW64\svchist.exe
C:\Windows\system32\svchist.exe "c:\windows\system32\240614484.bat",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\GLk.exe
| MD5 | b8e58a96761799f4ad0548dba39d650c |
| SHA1 | c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f |
| SHA256 | 334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df |
| SHA512 | 1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3 |
C:\Windows\SysWOW64\240614484.bat
| MD5 | 4770b45407d16f634d6f7372fd4f4f21 |
| SHA1 | 4a328ad36caa3d20dec848e2b130f629e7653a3c |
| SHA256 | ac4ad3e56d7586c8db65784166d9b7ac152cab28a7f8a9d51c08982c82cdb664 |
| SHA512 | a8cc0ba3f2a390ca7a069af33c4f5dfa63e926e2d9f9a35dac963b1d322b0a8dcd9f77b164b207f35e353c9c0daca3f570ad7fd2232ae7b36f789f81769e40a9 |
C:\Users\Admin\AppData\Local\Temp\HD_2025-07-04_8b8a860865fd30da6bd600b75a81f886_black-basta_elex_icedid_rhadamanthys.exe
| MD5 | 4a03b5d8185c3f03aa8719f3736f36d5 |
| SHA1 | 6c8dc57a6e8449204958e2f7bfa0dbe711a9212c |
| SHA256 | 2064eddb0b12f9e8ad4b7cfb18ba9a8b887da8ea0bc0fa2dbcb8b268a5069b25 |
| SHA512 | ba4b9f1b6acb31766a8016eba4a214e432289df62b088a3d7880929d24f9bb90067a22a66dc8241c2997c14c1d286c541216c4b914a9a5f48644d623ef21579e |
C:\Windows\SysWOW64\svchist.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | b963d35b9e913267f7f798c109f91440 |
| SHA1 | 9d3752592356de28d4e5868a3893ea63b01eca52 |
| SHA256 | 3ff885db97bb18ce2c69b7413c464805a918bd88e3d669724b14586af7b44d31 |
| SHA512 | 1afdd2f0740ece600be7f2e8cbb19926e34a6230ba95338f9440777da5a09ec9fd8f6e7f226cb8c34826d9a80f72fc50d34872369353fc84158342aa152dd584 |