Malware Analysis Report

2025-06-16 05:39

Sample ID 250520-kcctasem7y
Target 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer
SHA256 5594a874d100e3e32d43273973cb09376a09ad4df20e0d74912af9ae8d2da96b
Tags
mofksys defense_evasion discovery persistence worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5594a874d100e3e32d43273973cb09376a09ad4df20e0d74912af9ae8d2da96b

Threat Level: Known bad

The file 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

mofksys defense_evasion discovery persistence worm

Detects Mofksys worm

Mofksys family

Mofksys

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Drops file in Drivers directory

Boot or Logon Autostart Execution: Active Setup

Checks BIOS information in registry

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-20 08:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-20 08:26

Reported

2025-05-20 08:29

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\mbamtestfile.dat \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\mbamtestfile.dat \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
File created C:\Program Files (x86)\mbamtestfile.dat \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\icsys.icn.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5412 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 
PID 5412 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 
PID 5412 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe \??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 
PID 5412 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 5412 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 5412 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe C:\Users\Admin\AppData\Local\icsys.icn.exe
PID 264 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 264 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 264 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\icsys.icn.exe \??\c:\windows\system\explorer.exe
PID 5260 wrote to memory of 5800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5260 wrote to memory of 5800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5260 wrote to memory of 5800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5800 wrote to memory of 5028 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5800 wrote to memory of 5028 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5800 wrote to memory of 5028 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5028 wrote to memory of 2276 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5028 wrote to memory of 2276 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5028 wrote to memory of 2276 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5028 wrote to memory of 4836 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5028 wrote to memory of 4836 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5028 wrote to memory of 4836 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3320 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3320 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3320 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3680 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 3680 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 3680 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\svchost.exe
PID 5028 wrote to memory of 3176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5028 wrote to memory of 3176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5028 wrote to memory of 3176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5028 wrote to memory of 5128 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5028 wrote to memory of 5128 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5028 wrote to memory of 5128 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe"

\??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 

c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 

C:\Users\Admin\AppData\Local\icsys.icn.exe

C:\Users\Admin\AppData\Local\icsys.icn.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe RO

C:\Windows\SysWOW64\at.exe

at 08:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 08:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 

MD5 6b3b44639456a3230e3838d0d2202939
SHA1 6aa554f51497c21d684d80fdf363e23b8f1f28f2
SHA256 eedb91d5c57418231eaf086f3739353392fa83267075bc50de2cabd11db66c1f
SHA512 fab38b9b7d587aed6f2ab267cf9afa878213832b86cc00519e0cf5880072aa95516796131afe87d641fe113f2041eef52988845df15b716330de0080bf5ccfea

C:\Users\Admin\AppData\Local\icsys.icn.exe

MD5 bdc833c683e49c6fa840b3ba6441ce72
SHA1 94e0f44c168f422baaef115f34b77e1bb6c85a34
SHA256 79a0ecb25f9100cd6486903402c6d23aab951c40272a9a73f718b9b2d1d1ace7
SHA512 994ad2f4906cb613c9bc06b60c865d0cddc3b3232b68687d2268fe5fca91d470de081f94bbae3a6684e23947b5e50c26282ab290c7207e899c32b595b4ec941c

C:\Windows\System\explorer.exe

MD5 2c90d252da433e45aa8ebf2e7cb2ab9c
SHA1 0d5cb04f0de19a307c22c03d59cce17f6809294b
SHA256 f651950d521d58d65788b92891fa9859d3807267cb6736046b215bfc4dfd6963
SHA512 ca1208ec933b1b7bb976604e7cf74cbffef3661c58c9616d3a553ab8dbf8e7a8c57aeae59abf54d42f6746430c93e78703f7c6fe29ddd280d0f4b1e891f44ba7

C:\Windows\System\spoolsv.exe

MD5 b5db216a87da8960eadd0ea90513aa8e
SHA1 13e630ec9d9771683f93a9a92b3c50ef04c7715d
SHA256 991522bed9c11c418fbc04558da4a62c9c93902e07b2d06c58207fc1ccd467b2
SHA512 a703a0702be6eba476b4eb762739014471c921624d71e7694711a7a960897b39adc5ec31c3fa05078f38bdaa0b8c52c008192ecd8be133210da3b30548c0f3bf

C:\Windows\System\svchost.exe

MD5 9e2f9a5f838c18cc520cfb86ae660048
SHA1 c24895dda76eceb87c56151426a3987058482d05
SHA256 9461d7fe275eb242bfbcf658148ae7d477af91d25ae8d1c987a116dcf0fd64ef
SHA512 334b32bf27a40af0e6839437f01f0344c97f9d685d9dfa4e7e0d587687e59745b961a5d2b9342e71966b3cd0276b2f86bab3e758d549bc50868119e269f7659b

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 c55142ca12bfff5353878e227ddab7d0
SHA1 35a00d6322ec17b1797d89bec54301d5403bc4b3
SHA256 7d06f51613ca85af339fe6e7b7b60bf151b56714bb26ff34b58a3bacc7bb689d
SHA512 2e7de9a6f51c4fe0dfbf440415e8ae04f5409e7054a3ba175fc5df5fbd8621251b109e3119997d907676269c6fa4d38d6597b55a475b8350813e4ca056522834