Analysis

  • max time kernel
    118s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:05

General

  • Target

    2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

  • Size

    1.3MB

  • MD5

    9e7f916c159d0a85c41129d08a442d24

  • SHA1

    78fc30891444fb99bfc13180132436b28cc0494a

  • SHA256

    351ee7b7018edee0177827346114717370a35b1ed902929769ebbbdaf2c2fd68

  • SHA512

    2116a4901a919b5c266362d00cfb8337abd62fc97a2042dec525cbfeb558d51bd7cc4bb27548efd61730ed5ab95be66479d0db5c7c0f31220e83195dfce4ed79

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2dT:oGeGO+njdzOvljv92dT

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:5316
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:6020

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.3MB

          MD5

          9e7f916c159d0a85c41129d08a442d24

          SHA1

          78fc30891444fb99bfc13180132436b28cc0494a

          SHA256

          351ee7b7018edee0177827346114717370a35b1ed902929769ebbbdaf2c2fd68

          SHA512

          2116a4901a919b5c266362d00cfb8337abd62fc97a2042dec525cbfeb558d51bd7cc4bb27548efd61730ed5ab95be66479d0db5c7c0f31220e83195dfce4ed79

        • C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe$

          Filesize

          1.4MB

          MD5

          a584dda1d6e939d410c9c34afc57143f

          SHA1

          e8f1934033b97688b85fa3e5620af23110d86a0c

          SHA256

          a6a3b19cb9096de146f2dad391b730acbf5c9d53e80976fb7127925719813696

          SHA512

          594dec378e352643da11e8c5cb9cacce30be568395e030ab0bd658cb1eac2e02f18ca578ba87f6f37a8b6cd196cdc36f3ca7a704706130b7c83acd79d2d1b4a7

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.8MB

          MD5

          47304b6fa7ce38754b30dea86d780b11

          SHA1

          23c1a26d935e68435c6e632e658c368e5038588f

          SHA256

          60fb81d1359e89fec7e24dfe35d4fe62d637dc00dbff7e4d89f16fd16a8dc5d7

          SHA512

          014513828bebc27550dde3df25234b8fa849f4e59f799ee6b37bd6af5fc1e9b3415ee29ff05430d8e1552c1169878ad4e9cbc0dc22a5e87a5805dba32b74d467

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe$

          Filesize

          1.3MB

          MD5

          dee122d8556918f659b744b54b95f046

          SHA1

          805ef35253afb6af63fd5c27f7a74f9b012c7564

          SHA256

          6982c9c23637b5259beff25eb9daeecf290f1e6d205bb21f42a2a389f9c85694

          SHA512

          36843838c2e56f20b4ba14e76008eb5743a0ed9556c43ff3debfa36e3beb106d38884714c1d152de249f76aefb887e3d2d4464adb591f75af17f8f189129b4cd

        • C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe

          Filesize

          1.3MB

          MD5

          0f8ff30c7ebab6a992d2a07e179d0f17

          SHA1

          d2b4054be602f2c1c685faab44a09e20c3238b07

          SHA256

          4e6d3a4133459213ff8bc332aaa823df4db0e9bf2a50f0c6ff65b006ad2fe125

          SHA512

          9f04993bc505844b7d98eda9d532911c2ae1bfb1379d465b94aad741ae5b2327da5b609770562368c8f5ae0dd53e2a86bd4dc2e9dbd31992cdafdbd501b08cce

        • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe$

          Filesize

          1.7MB

          MD5

          6d80e5cd9a84ff6de81f8fae4a5aadfa

          SHA1

          4935b77678350caeb042dd1fb25e101773da59ea

          SHA256

          a8f2be640b77a1961b0453e517d48647c751366cf578d8068fc73a0384a636b4

          SHA512

          40c34cbfbdbff112b3f098b62f2808bfcc4cc348f1f60981b2ab0f2e27ed5cede6c24d23764fd6a4b8761e1d31096ddcdc8bb069a0d75eb34b4f6797e2d6f790

        • memory/5316-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5316-1562-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/6020-1563-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB