Analysis
-
max time kernel
118s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:05
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.3MB
-
MD5
9e7f916c159d0a85c41129d08a442d24
-
SHA1
78fc30891444fb99bfc13180132436b28cc0494a
-
SHA256
351ee7b7018edee0177827346114717370a35b1ed902929769ebbbdaf2c2fd68
-
SHA512
2116a4901a919b5c266362d00cfb8337abd62fc97a2042dec525cbfeb558d51bd7cc4bb27548efd61730ed5ab95be66479d0db5c7c0f31220e83195dfce4ed79
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2dT:oGeGO+njdzOvljv92dT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 6020 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE$ 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\elevation_service.exe patcher.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe$ 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_helper.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe$ 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe patcher.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_helper.exe$ patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedgewebview2.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe$ 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe$ patcher.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe$ 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe$ 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe patcher.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe$ 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe$ patcher.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe$ patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe$ 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5316 2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 6020 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4356 wrote to memory of 6020 4356 cmd.exe 88 PID 4356 wrote to memory of 6020 4356 cmd.exe 88 PID 4356 wrote to memory of 6020 4356 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_9e7f916c159d0a85c41129d08a442d24_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:5316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6020
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD59e7f916c159d0a85c41129d08a442d24
SHA178fc30891444fb99bfc13180132436b28cc0494a
SHA256351ee7b7018edee0177827346114717370a35b1ed902929769ebbbdaf2c2fd68
SHA5122116a4901a919b5c266362d00cfb8337abd62fc97a2042dec525cbfeb558d51bd7cc4bb27548efd61730ed5ab95be66479d0db5c7c0f31220e83195dfce4ed79
-
Filesize
1.4MB
MD5a584dda1d6e939d410c9c34afc57143f
SHA1e8f1934033b97688b85fa3e5620af23110d86a0c
SHA256a6a3b19cb9096de146f2dad391b730acbf5c9d53e80976fb7127925719813696
SHA512594dec378e352643da11e8c5cb9cacce30be568395e030ab0bd658cb1eac2e02f18ca578ba87f6f37a8b6cd196cdc36f3ca7a704706130b7c83acd79d2d1b4a7
-
Filesize
1.8MB
MD547304b6fa7ce38754b30dea86d780b11
SHA123c1a26d935e68435c6e632e658c368e5038588f
SHA25660fb81d1359e89fec7e24dfe35d4fe62d637dc00dbff7e4d89f16fd16a8dc5d7
SHA512014513828bebc27550dde3df25234b8fa849f4e59f799ee6b37bd6af5fc1e9b3415ee29ff05430d8e1552c1169878ad4e9cbc0dc22a5e87a5805dba32b74d467
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe$
Filesize1.3MB
MD5dee122d8556918f659b744b54b95f046
SHA1805ef35253afb6af63fd5c27f7a74f9b012c7564
SHA2566982c9c23637b5259beff25eb9daeecf290f1e6d205bb21f42a2a389f9c85694
SHA51236843838c2e56f20b4ba14e76008eb5743a0ed9556c43ff3debfa36e3beb106d38884714c1d152de249f76aefb887e3d2d4464adb591f75af17f8f189129b4cd
-
Filesize
1.3MB
MD50f8ff30c7ebab6a992d2a07e179d0f17
SHA1d2b4054be602f2c1c685faab44a09e20c3238b07
SHA2564e6d3a4133459213ff8bc332aaa823df4db0e9bf2a50f0c6ff65b006ad2fe125
SHA5129f04993bc505844b7d98eda9d532911c2ae1bfb1379d465b94aad741ae5b2327da5b609770562368c8f5ae0dd53e2a86bd4dc2e9dbd31992cdafdbd501b08cce
-
Filesize
1.7MB
MD56d80e5cd9a84ff6de81f8fae4a5aadfa
SHA14935b77678350caeb042dd1fb25e101773da59ea
SHA256a8f2be640b77a1961b0453e517d48647c751366cf578d8068fc73a0384a636b4
SHA51240c34cbfbdbff112b3f098b62f2808bfcc4cc348f1f60981b2ab0f2e27ed5cede6c24d23764fd6a4b8761e1d31096ddcdc8bb069a0d75eb34b4f6797e2d6f790