General

  • Target

    2025-06-03_13b5e64dc38806acca083d1322b498b9_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer

  • Size

    11.0MB

  • Sample

    250603-w19cysvpy2

  • MD5

    13b5e64dc38806acca083d1322b498b9

  • SHA1

    ac9d3790d6182d10dba51e757ef980716724eb43

  • SHA256

    e02301fec82958f3f4a4826e743c4254a606350b747d2e7ada54c6af15aa2cc1

  • SHA512

    ca30e83427aaf9f0180cd9a0f9e8f942415138c436a7a480f6fcb8b1b8255628461f9ef01c19cab1cad3959f1dea667904eab1a31c6a73d1b2737de0ae652c54

  • SSDEEP

    196608:Z6iENKhpjM+VjAOAoeZ1GbNdpF7B3eNzFf4KpGMG/9vR6POA93K8nICYHwrFIvTF:Z6iENKhpt6OneZ1GbNdpVB3eNzFf4KpS

Malware Config

Targets

    • Target

      2025-06-03_13b5e64dc38806acca083d1322b498b9_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer

    • Size

      11.0MB

    • MD5

      13b5e64dc38806acca083d1322b498b9

    • SHA1

      ac9d3790d6182d10dba51e757ef980716724eb43

    • SHA256

      e02301fec82958f3f4a4826e743c4254a606350b747d2e7ada54c6af15aa2cc1

    • SHA512

      ca30e83427aaf9f0180cd9a0f9e8f942415138c436a7a480f6fcb8b1b8255628461f9ef01c19cab1cad3959f1dea667904eab1a31c6a73d1b2737de0ae652c54

    • SSDEEP

      196608:Z6iENKhpjM+VjAOAoeZ1GbNdpF7B3eNzFf4KpGMG/9vR6POA93K8nICYHwrFIvTF:Z6iENKhpt6OneZ1GbNdpVB3eNzFf4KpS

    • Detects Mofksys worm

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Mofksys

      Mofksys is a worm written in VisualBasic.

    • Mofksys family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks