General

  • Target

    2025-05-15_ddfebe6fa894bdba8eb515bbf2c32974_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer

  • Size

    11.1MB

  • Sample

    250515-x7pska1vdt

  • MD5

    ddfebe6fa894bdba8eb515bbf2c32974

  • SHA1

    23febefb517c83b9791e598c5d9f4dc9780bb525

  • SHA256

    c92da7a6e04609c26a1a4052c01eb93373aa741daaacc2bce5574c36cfad99c9

  • SHA512

    b1254ed4426534c71fe4de90c0e8da92b3f8197197f69b889fdc2b47458928d1f7d24740fc3e950cf4fef95c561c81db05d38857f15f0f974da750f333f7f5af

  • SSDEEP

    196608:ZG+fzBUMLTZP2MNPONfdPK6rzCBg/1I0S8YAObAYlIt5Q5OLdxObkQSsnpcO1Z6w:ZG+fzBUMRvODPK6rzCBg/W0S8YAObAYb

Malware Config

Targets

    • Target

      2025-05-15_ddfebe6fa894bdba8eb515bbf2c32974_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer

    • Size

      11.1MB

    • MD5

      ddfebe6fa894bdba8eb515bbf2c32974

    • SHA1

      23febefb517c83b9791e598c5d9f4dc9780bb525

    • SHA256

      c92da7a6e04609c26a1a4052c01eb93373aa741daaacc2bce5574c36cfad99c9

    • SHA512

      b1254ed4426534c71fe4de90c0e8da92b3f8197197f69b889fdc2b47458928d1f7d24740fc3e950cf4fef95c561c81db05d38857f15f0f974da750f333f7f5af

    • SSDEEP

      196608:ZG+fzBUMLTZP2MNPONfdPK6rzCBg/1I0S8YAObAYlIt5Q5OLdxObkQSsnpcO1Z6w:ZG+fzBUMRvODPK6rzCBg/W0S8YAObAYb

    • Detects Mofksys worm

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Mofksys

      Mofksys is a worm written in VisualBasic.

    • Mofksys family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks