Malware Analysis Report

2025-08-10 19:49

Sample ID 250702-xh9fnshr8y
Target 2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer
SHA256 eb4503d4d1eada35dc8228d3a470ac6306fe54a082582deb2999fc2cd6dccc84
Tags
defense_evasion discovery trojan
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

eb4503d4d1eada35dc8228d3a470ac6306fe54a082582deb2999fc2cd6dccc84

Threat Level: Shows suspicious behavior

The file 2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery trojan

Checks whether UAC is enabled

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 18:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 18:52

Reported

2025-07-02 18:55

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer.exe"

Signatures

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer.exe"

C:\Users\Admin\AppData\Local\Temp\2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer.exe

C:\Users\Admin\AppData\Local\Temp\2025-07-02_e5de00d231fc11f0014cff8f8eb873a9_amadey_black-basta_darkgate_elex_luca-stealer.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\138.0.7194.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=138.0.7194.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x284,0x288,0x28c,0x280,0x25c,0x9229c0,0x9229cc,0x9229d8

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/1080-0-0x0000000000400000-0x0000000000A79000-memory.dmp

C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log

MD5 d2f5a806fa4aef861ee9db76de759f59
SHA1 dd5bb5fe88592f2d5e2b9bc1309af58f82baf653
SHA256 c9675cdf2da03c70d1f5ee99d4d0b90bc42243a4c324e2ce400a6615ca857f91
SHA512 3ecdaccbf100bcf3d4b31c6390ae51af80563c3f92c9adfae95324f43c80e008a6e1689d27ead001df1c5079f44c5ccca35646cbfd534a5281a3c9804492dc2c

memory/4580-2-0x0000000000400000-0x0000000000A79000-memory.dmp

memory/1080-3-0x0000000000400000-0x0000000000A79000-memory.dmp

memory/4580-6-0x0000000000400000-0x0000000000A79000-memory.dmp