Malware Analysis Report

2025-08-10 19:53

Sample ID 250703-gmpn3avns5
Target 2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer
SHA256 f8df5267cac1b595adf683c78c611987b1ab447cae151896a96628db19d5346d
Tags
discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f8df5267cac1b595adf683c78c611987b1ab447cae151896a96628db19d5346d

Threat Level: Likely malicious

The file 2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer was found to be: Likely malicious.

Malicious Activity Summary

discovery

Downloads MZ/PE file

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:55

Reported

2025-07-03 05:58

Platform

win10v2004-20250619-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.browser.yandex.net udp
US 8.8.8.8:53 api.browser.yandex.ru udp
US 8.8.8.8:53 download.cdn.yandex.net udp
RU 213.180.193.234:443 api.browser.yandex.ru tcp
RU 37.9.64.225:443 download.cdn.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
RU 213.180.193.234:443 api.browser.yandex.ru tcp
US 8.8.8.8:53 cloudcdn-fra-02.cdn.yandex.net udp
DE 5.45.200.109:443 cloudcdn-fra-02.cdn.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.ru tcp
RU 213.180.193.234:443 api.browser.yandex.ru tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\lite_installer.log

MD5 e0e68b9a2c0602f3f97eb69a6f3ff1bb
SHA1 5d53a90c17f093d63854297e1cd989cda0772028
SHA256 a6e47c401a024a0570fb894952105695cacac479e38b249832d5403d8166de01
SHA512 320ebd2a226a8f44eec90bbafda132e12f6690742dd614c44279ff78a1a07525a98018beb21b081ad764c82d15dc5e98a984b61e561dfd8b922a8480430f3241

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 c351e74a1eb8d5893548c8a4f08a393e
SHA1 116789f099d729783eb3821005e4628ba511498a
SHA256 828e891d3aa39f52bcae08c0b73978b5c66d30ec90e1eff031b4e933230be369
SHA512 94a417893159156cf771866aebf6ce07d81025e98d61309a31e526bd01d4243ee778551c0d6415697ed6683da8131b3bfb4747cd47c3c781038e9ba682f3757b

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:55

Reported

2025-07-03 05:58

Platform

win11-20250610-en

Max time kernel

104s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9b46dc818d2f96b70951475d9b668c9a_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.browser.yandex.ru udp
US 8.8.8.8:53 download.cdn.yandex.net udp
US 8.8.8.8:53 api.browser.yandex.net udp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 37.9.64.225:443 download.cdn.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
DE 5.45.200.109:443 cloudcdn-fra-02.cdn.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\lite_installer.log

MD5 780caa06bc525ca1e7ecb5c3f876680a
SHA1 262f26b659a5b2fdf57464cbbd0e97a8b70fb357
SHA256 2545040ff0482d4feb6b555ba232c6d8ef200bacfc748210cb93cb94b5fa4be8
SHA512 7b14548f969d346bb586b1299ed4c22cd52922f066b847759b1d8c28e0b393e1af3c29357165b74a7d90376c15f7adbec40ace0d8f7f4063742e02f01624c562

C:\Users\Admin\AppData\Roaming\Yandex\ui

MD5 1496d6698919f249402fc9c149322de4
SHA1 34386141e111a019c42238bc4d90ce192ab73d00
SHA256 e096aa0eda1f38c424c94ed2bc78c4f1643463a1b5ef1276ecd58bf5b7418763
SHA512 ea33aee8b5f162a74a1be2f8b1939d1c016794a8b6a70f844ec92e5d7c179ccbde0305b17b633a50a55b12ee23a94b7d67dbfa2338b3f418bb64c35bc98d351a