e6c425b4695540614f5868913f9e7a509227b4b043e63058534f05430d747d98 | Triage

Submit
Reports

Overview

overview

8

Static

static

1

2025-03-31...er.exe

windows10-2004-x64

8

Sharing

General

Target

2025-03-31_30c990bbafdbf6cb080eb5363941537a_amadey_black-basta_hijackloader_luca-stealer_smoke-loader
Size

5.6MB
Sample

250331-s2rmrasycs
MD5

30c990bbafdbf6cb080eb5363941537a
SHA1

ae17ba3b1571172b1ba3272afcf05680187fc116
SHA256

e6c425b4695540614f5868913f9e7a509227b4b043e63058534f05430d747d98
SHA512

991291a745e4b2d1abf3097b1081ec6c418d328cfbbaa374f0dace366fef4149141fc8e02903a913c0965568b1a3d3731bbc68ceaf17745192c28137baa7684b
SSDEEP

98304:Nv8s6efPOrJJNr2uTvY8vYEoQTJ9GGPrQZU/:SfefPOrJH2ulvYPQTJY

Score

8^/10

discovery persistence privilege_escalation

Static task

static1

Behavioral task

behavioral1

Sample

2025-03-31_30c990bbafdbf6cb080eb5363941537a_amadey_black-basta_hijackloader_luca-stealer_smoke-loader.exe

Resource

win10v2004-20250314-en

discovery persistence privilege_escalation

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  2025-03-31_30c990bbafdbf6cb080eb5363941537a_amadey_black-basta_hijackloader_luca-stealer_smoke-loader
- Size
  
  5.6MB
- MD5
  
  30c990bbafdbf6cb080eb5363941537a
- SHA1
  
  ae17ba3b1571172b1ba3272afcf05680187fc116
- SHA256
  
  e6c425b4695540614f5868913f9e7a509227b4b043e63058534f05430d747d98
- SHA512
  
  991291a745e4b2d1abf3097b1081ec6c418d328cfbbaa374f0dace366fef4149141fc8e02903a913c0965568b1a3d3731bbc68ceaf17745192c28137baa7684b
- SSDEEP
  
  98304:Nv8s6efPOrJJNr2uTvY8vYEoQTJ9GGPrQZU/:SfefPOrJH2ulvYPQTJY
Score

8^/10

discovery persistence privilege_escalation
- Sets service image path in registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Boot or Logon Autostart Execution: Authentication Package
  Suspicious Windows Authentication Registry Modification.
  persistence privilege_escalation
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Authentication Package

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Authentication Package

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceprivilege_escalation

© 2018-2025

Terms | Privacy