Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
02/07/2025, 18:53
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe
Resource
win11-20250610-en
General
-
Target
2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe
-
Size
1.2MB
-
MD5
d627a02bd7c66fde7aded5cd3663c88e
-
SHA1
005e01a8f50b32475a91fe70b41031f92439963e
-
SHA256
3d52cd593b20c3d040d4227ac0d3e4477f8d11289b5208946a12f826315da04b
-
SHA512
697476fedc69e522f6e079b8cfa2aa2448b24ae31e2f773dd2a7cdc086b3f6429c51ba040f8eec208d6ff191ae9188a6badfdd6056feb7b142240d9b8fa2d594
-
SSDEEP
3072:tZTz1WIXC6GESSgWNRXumi7+IF6foPCaTRMXbaev0FQcmWk6kwsNIf6cHzbQ2v0V:tZHcIX9SSgMi+IFZMbQrkodzb4VF2Yd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Control Panel\International\Geo\Nation 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe Key value queried \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Control Panel\International\Geo\Nation audiohd.exe -
Executes dropped EXE 1 IoCs
pid Process 2656 audiohd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiohd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 6104 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe 2656 audiohd.exe 4740 powershell.exe 4740 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 6104 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe Token: SeDebugPrivilege 2656 audiohd.exe Token: SeDebugPrivilege 4740 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 6104 wrote to memory of 2656 6104 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe 88 PID 6104 wrote to memory of 2656 6104 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe 88 PID 6104 wrote to memory of 2656 6104 2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe 88 PID 2656 wrote to memory of 4740 2656 audiohd.exe 89 PID 2656 wrote to memory of 4740 2656 audiohd.exe 89 PID 2656 wrote to memory of 4740 2656 audiohd.exe 89 PID 4740 wrote to memory of 4936 4740 powershell.exe 94 PID 4740 wrote to memory of 4936 4740 powershell.exe 94 PID 4740 wrote to memory of 4936 4740 powershell.exe 94 PID 4936 wrote to memory of 5664 4936 csc.exe 96 PID 4936 wrote to memory of 5664 4936 csc.exe 96 PID 4936 wrote to memory of 5664 4936 csc.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-02_d627a02bd7c66fde7aded5cd3663c88e_black-basta_darkgate_elex_luca-stealer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6104 -
C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\smatrb0s\smatrb0s.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70DA.tmp" "c:\Users\Admin\AppData\Local\Temp\smatrb0s\CSCB47B7100F5344BA4B487FDD0875CAEA7.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5664
-
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5469fd782af6c3b7ebd247a8888ef9ba7
SHA1533c6809a756438d7dd3805d4a0d2ed7b50ff8c6
SHA2569e9bcea693d130b97162f969c2cfe3f65335cada4bc262a487c57cac0597d919
SHA5129bba2eabbbdf7116d55d9087ea5fb9ce04b0e86accc6fb1b5a0ed6fb173621f1a93352bdba5c84e9f8d6cf609c51a63384e8b5d24d4911f4c781abf82fe3a0fd
-
Filesize
4KB
MD5ff169c4274b91df68a1a0548b9186b29
SHA1e2a406a1a49c5825d4f4279e82d1ca369433b244
SHA2566da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc
SHA5128785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b
-
Filesize
1KB
MD5371a693ad1e141a2094432b8584bc0ca
SHA11ee60b26479e08d04456971c82f07f2992dada5f
SHA256490c3c7f062d43c62e533eb28d1b47ba2b91a47657febff478b7743e4f48aa79
SHA5126c38b1cbe79a3fb079fd601f2d238c3907e39668c6b28a796da4b50cf597e22b34565764e0390da0323e4b19b67469b14e73c33c46c135f47e23cc72d5d7755d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD536869d2c6a6facc5d06b167b7a715452
SHA1f0cf222e48826dbd450bd30b0fdfb2c4a0e0fe7c
SHA2565b434b5e23275f1adc0f7febceddc9fec1de604b4517fced565fb1849d61be67
SHA51260e41e3378b4e7b7fe67265b9f6a2c68d564ee2ca8b1dfa07c0d835887316e200dd0b43dfe324b3bdcd8f8aa82511207d303eb9c7a2c0c63d88c5779e09fdbb8
-
Filesize
652B
MD5bdc4a4485a92e6ccf0f0cd40cd56bfb7
SHA1ec94031585f64297b3b799ff0d62f1526b561378
SHA256ed5e23ac32b585550451cab0b425bd42f6d650694cb043a2085eec9876736aff
SHA512870a413a1352f7874e6cc9c17679d246cab33066f57e66b2668acd11ea21f0d5694f55b0cc596740948ef9905f59cea7b184baa56721a11d5957e4c5eeb4679a
-
Filesize
360B
MD54b25acf9f8835ca96ccb87b82d7aec76
SHA10c10c17596bb6b39e5eb73a933bc3839e789c4a6
SHA256e40532dc3aa16c82efdfda1876f25f5f6dd9105bd345a60f9affc8903fcde288
SHA512392df6d8a23bc330ab495914dbe7bd70a2b8abd76c1ab879a25aff2e2157c717b50665c9ea11353688b7114c96fe5412e4a8a77e355ccd929ad553649e497a80