Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:03
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.4MB
-
MD5
8bb50c13f25fb5dc1e9db00d794e7b31
-
SHA1
1608ddbe1fa02c45b7b0f8d4a6eb87b8d4f5f5a3
-
SHA256
7bae64350701e2655b9e5b854d016704755550ae40d5040463bcb26aaefda3e0
-
SHA512
28f0a6a81207bb46a460a54d0fb9c6d262c4d6ef59fb6c1485b7b9e2dcbae1aa2d1c49fe52041277984b387e34b8e8bc3033036edf6c5c10fd561eb6be5f6009
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk28vyjwOhTJ9V:oGeGO+njdzOvljv928QfhTd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2920 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe patcher.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\notification_helper.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe$ patcher.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$ 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe$ 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe patcher.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe$ patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe patcher.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe patcher.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe$ patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\javac.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe$ patcher.exe File created C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE$ patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe patcher.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$$ patcher.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe$ 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateOnDemand.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE$ 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe$ patcher.exe File created C:\Program Files\Java\jre-1.8\bin\policytool.exe patcher.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3968 2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 2920 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3340 wrote to memory of 2920 3340 cmd.exe 87 PID 3340 wrote to memory of 2920 3340 cmd.exe 87 PID 3340 wrote to memory of 2920 3340 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8bb50c13f25fb5dc1e9db00d794e7b31_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2920
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD58bb50c13f25fb5dc1e9db00d794e7b31
SHA11608ddbe1fa02c45b7b0f8d4a6eb87b8d4f5f5a3
SHA2567bae64350701e2655b9e5b854d016704755550ae40d5040463bcb26aaefda3e0
SHA51228f0a6a81207bb46a460a54d0fb9c6d262c4d6ef59fb6c1485b7b9e2dcbae1aa2d1c49fe52041277984b387e34b8e8bc3033036edf6c5c10fd561eb6be5f6009
-
Filesize
1.9MB
MD57dfc00e92627c9eaa5a74e1a658812ec
SHA15bcb51da8a278605f51b1d24f2356c7f9f4c2107
SHA256f14ef943f5656a0a235477d1d7e65a5f9881373158faf311a04ac4b6cbe2201e
SHA512e90f9ad37151ee51f9e7a3637184fb5686c7d59c2adff6d99f46eae8cf2a2efaec211f92d35507f0e8861a15017100cd4a69265ff1799155f6bbc423e87b195e
-
Filesize
1.6MB
MD5d5b5fe36823384c4407d6d0f23cd939f
SHA1e43fc12bf4e359b4185a89be299d20bb5b3298de
SHA2569142b7899599ea65fd26856f6a18d26d8461c0621999891d8d5897053afdb6d0
SHA512b6670cefc1f78278ed3371fe729e2686b477e7869070fd5e5fd602eeb11312b77b8e28331afebe5f158f55f00703d71d0d3758ada756c3848c9cbd8981320e1e
-
Filesize
1.5MB
MD571c7c53214c916c6863eaae33bd94c01
SHA1454a46146d5ef711345c0e8a5107225a691efaee
SHA25673278017f56e5c3094d23729b9793d6e25f51df7694641641f60bf7744de905d
SHA51227eeaf249b3ac119295939b323348e0149824ba7a9214d017c16a1ec3957418a81d358b9b52d19c6f416e04a99df3746618ecc94aa064bec9bcf59a3a1edabe3
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe
Filesize1.5MB
MD57221bb4b18de1bc920104a76614e6d78
SHA1cf722ef133870a00ee744bcd8fd0f6c455340c8d
SHA256fdb35ea8a9e13ad1d5a33049b3ff8397345b5a645e9a764e6e2c1d348a9657bf
SHA512386229868781c42476b6b82382933fc1c87781604b266cf08b0bdc41283174551c0617f9f9eb7a38017cbce5b54eda0ce3217483954b76eeab3168cf0b845922
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe$
Filesize2.2MB
MD5cc6b60d058a44a518a3e131d36c805f1
SHA151cce02a6522d1c902b4a63fdf53d408a093b0bf
SHA2566c42c0821c3378900284e50c7d0d40a26826666a331a10c2452143765575f22e
SHA512896897642e00d155c8f732690a998b842979e20897db71c8bcd84559697ff0e6f3530efb95a04ca3f7cec152c3040a43fb944eb9795072f6a1bdab8c1cb423ce
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$
Filesize1.5MB
MD54befd370c846b845446dcc456a9af5b5
SHA1564d915ae7e569d6f663299f845f918683508ef3
SHA256dd899aefcf73adaffdd4cdf56035b1e0dbf3732bf3bfa97c6208033a69b0e2ca
SHA5126fa9d927c187cee34666a068896562eb69abab3a896f0e609eea541a19eb9b6d7f647ad32ae2e735216c0172d01c2e189399e96d7bc71e43c6f5036f83e9b3e1
-
Filesize
1.9MB
MD504779aad969ab7df99f5fc925a5f1eb2
SHA122328401bd4111530f0d55c7f9fed716f300d15f
SHA2569f9403f00ef4004e6a57de53cd1312378f125269090935405a0e83dc76297f99
SHA512b9b9db1a33a416178f2ad89d7514f5bef4bb7d7948e54d439b385feb1007e1c830bcb564ffa0d5221d12619514adb56683658e874beb6070e0d428c1ba2b8273