Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:03

General

  • Target

    2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

  • Size

    1.4MB

  • MD5

    8bb50c13f25fb5dc1e9db00d794e7b31

  • SHA1

    1608ddbe1fa02c45b7b0f8d4a6eb87b8d4f5f5a3

  • SHA256

    7bae64350701e2655b9e5b854d016704755550ae40d5040463bcb26aaefda3e0

  • SHA512

    28f0a6a81207bb46a460a54d0fb9c6d262c4d6ef59fb6c1485b7b9e2dcbae1aa2d1c49fe52041277984b387e34b8e8bc3033036edf6c5c10fd561eb6be5f6009

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk28vyjwOhTJ9V:oGeGO+njdzOvljv928QfhTd

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:3968
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2920

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.4MB

          MD5

          8bb50c13f25fb5dc1e9db00d794e7b31

          SHA1

          1608ddbe1fa02c45b7b0f8d4a6eb87b8d4f5f5a3

          SHA256

          7bae64350701e2655b9e5b854d016704755550ae40d5040463bcb26aaefda3e0

          SHA512

          28f0a6a81207bb46a460a54d0fb9c6d262c4d6ef59fb6c1485b7b9e2dcbae1aa2d1c49fe52041277984b387e34b8e8bc3033036edf6c5c10fd561eb6be5f6009

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.9MB

          MD5

          7dfc00e92627c9eaa5a74e1a658812ec

          SHA1

          5bcb51da8a278605f51b1d24f2356c7f9f4c2107

          SHA256

          f14ef943f5656a0a235477d1d7e65a5f9881373158faf311a04ac4b6cbe2201e

          SHA512

          e90f9ad37151ee51f9e7a3637184fb5686c7d59c2adff6d99f46eae8cf2a2efaec211f92d35507f0e8861a15017100cd4a69265ff1799155f6bbc423e87b195e

        • C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE

          Filesize

          1.6MB

          MD5

          d5b5fe36823384c4407d6d0f23cd939f

          SHA1

          e43fc12bf4e359b4185a89be299d20bb5b3298de

          SHA256

          9142b7899599ea65fd26856f6a18d26d8461c0621999891d8d5897053afdb6d0

          SHA512

          b6670cefc1f78278ed3371fe729e2686b477e7869070fd5e5fd602eeb11312b77b8e28331afebe5f158f55f00703d71d0d3758ada756c3848c9cbd8981320e1e

        • C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe

          Filesize

          1.5MB

          MD5

          71c7c53214c916c6863eaae33bd94c01

          SHA1

          454a46146d5ef711345c0e8a5107225a691efaee

          SHA256

          73278017f56e5c3094d23729b9793d6e25f51df7694641641f60bf7744de905d

          SHA512

          27eeaf249b3ac119295939b323348e0149824ba7a9214d017c16a1ec3957418a81d358b9b52d19c6f416e04a99df3746618ecc94aa064bec9bcf59a3a1edabe3

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe

          Filesize

          1.5MB

          MD5

          7221bb4b18de1bc920104a76614e6d78

          SHA1

          cf722ef133870a00ee744bcd8fd0f6c455340c8d

          SHA256

          fdb35ea8a9e13ad1d5a33049b3ff8397345b5a645e9a764e6e2c1d348a9657bf

          SHA512

          386229868781c42476b6b82382933fc1c87781604b266cf08b0bdc41283174551c0617f9f9eb7a38017cbce5b54eda0ce3217483954b76eeab3168cf0b845922

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe$

          Filesize

          2.2MB

          MD5

          cc6b60d058a44a518a3e131d36c805f1

          SHA1

          51cce02a6522d1c902b4a63fdf53d408a093b0bf

          SHA256

          6c42c0821c3378900284e50c7d0d40a26826666a331a10c2452143765575f22e

          SHA512

          896897642e00d155c8f732690a998b842979e20897db71c8bcd84559697ff0e6f3530efb95a04ca3f7cec152c3040a43fb944eb9795072f6a1bdab8c1cb423ce

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$

          Filesize

          1.5MB

          MD5

          4befd370c846b845446dcc456a9af5b5

          SHA1

          564d915ae7e569d6f663299f845f918683508ef3

          SHA256

          dd899aefcf73adaffdd4cdf56035b1e0dbf3732bf3bfa97c6208033a69b0e2ca

          SHA512

          6fa9d927c187cee34666a068896562eb69abab3a896f0e609eea541a19eb9b6d7f647ad32ae2e735216c0172d01c2e189399e96d7bc71e43c6f5036f83e9b3e1

        • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe$

          Filesize

          1.9MB

          MD5

          04779aad969ab7df99f5fc925a5f1eb2

          SHA1

          22328401bd4111530f0d55c7f9fed716f300d15f

          SHA256

          9f9403f00ef4004e6a57de53cd1312378f125269090935405a0e83dc76297f99

          SHA512

          b9b9db1a33a416178f2ad89d7514f5bef4bb7d7948e54d439b385feb1007e1c830bcb564ffa0d5221d12619514adb56683658e874beb6070e0d428c1ba2b8273

        • memory/2920-8-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2920-1610-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/3968-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/3968-1609-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB