Analysis Overview
SHA256
2949528469b271b19c76ecee742ec023b9609a75680e78ce802bdda6cbdb0a9c
Threat Level: Known bad
The file 2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader was found to be: Known bad.
Malicious Activity Summary
Detects Mofksys worm
Mofksys
Mofksys family
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-20 14:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-20 14:05
Reported
2025-05-20 14:08
Platform
win10v2004-20250502-en
Max time kernel
106s
Max time network
142s
Command Line
Signatures
Detects Mofksys worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Mofksys
Mofksys family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\icsys.icn.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\SysWOW64\explorer.exe | C:\Users\Admin\AppData\Roaming\icsys.icn.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings | \??\c:\windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe"
\??\c:\users\admin\appdata\local\temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe
c:\users\admin\appdata\local\temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe
C:\Users\Admin\AppData\Roaming\icsys.icn.exe
C:\Users\Admin\AppData\Roaming\icsys.icn.exe
\??\c:\windows\SysWOW64\explorer.exe
c:\windows\system32\explorer.exe
Network
| Country | Destination | Domain | Proto |
| GB | 2.16.153.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\2025-05-20_556064dc8f4ec3f38e1d0336b64a9d6d_amadey_darkgate_elex_remcos_smoke-loader.exe
| MD5 | d5e07266f4e15f3e43ea7ced56c97603 |
| SHA1 | 43bb8526d2a927b656b45e193511d97fc5c43d66 |
| SHA256 | 7c0ef5ef4da0efda41f3fa2348b8bfc9b3cc644f9d0d6488b07b9f22adeca794 |
| SHA512 | 9b472a77b4fe3eadd67b3e628f2ed13d8b6ffc82ff4cf309ff428f461736791618840b6b273f93ef3bed1d78d5a3437ddab53d949fd724cb6d8c351109d5970b |
C:\Users\Admin\AppData\Roaming\icsys.icn.exe
| MD5 | 270c3dc6cbe3cb69b647f201e3a25ede |
| SHA1 | 8e8a5408fa9247a65a2a1bae2a083d2bc9cde3ef |
| SHA256 | fc6912de7cbe47a79fc098f51d7092b10b4f951d2a5ee68e5df49ae01fc950be |
| SHA512 | 81a2e753c11c915416f41e0ba4e63a2a6f71b89f4f6d182995374c930ad2b7081d81dab0c5f7d90b124a8163710e3edd0ef6d56d0da65f2a148213ec180672ef |