Analysis
-
max time kernel
119s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.8MB
-
MD5
aa8bba91f5fa7f19b5f07af74bd8cf3f
-
SHA1
52e078027ec57c6e63a35e463166f0213e898da1
-
SHA256
6ffcb57ccb3c8e62239337b7953b235e71e649aa1e45549d43e23e6a8856c309
-
SHA512
0cba92bcef35b18e15fd6bd871787b7bf7fae2008dc92e76d6262c21246a7f2e101c8891094f19b4295a7e0b0131d50c17065ca1d5241b47e4175e2d893e0ea6
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2TSi1SoCU5qJSr1eWPSCsP0MY:oGeGO+njdzOvljv92DS7PLjeT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 116 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe$ patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe patcher.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jre-1.8\bin\java.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ie_to_edge_stub.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\dotnet\dotnet.exe$ patcher.exe File created C:\Program Files\Java\jre-1.8\bin\servertool.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe patcher.exe File created C:\Program Files\Mozilla Firefox\firefox.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\kinit.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe patcher.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe$ patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\elevation_service.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe$ patcher.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE patcher.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe$ patcher.exe File created C:\Program Files\Java\jre-1.8\bin\javaws.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe patcher.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Installer\setup.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\7-Zip\7z.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\idlj.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\jmap.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe$ patcher.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3692 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 116 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3160 wrote to memory of 116 3160 cmd.exe 88 PID 3160 wrote to memory of 116 3160 cmd.exe 88 PID 3160 wrote to memory of 116 3160 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:116
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5aa8bba91f5fa7f19b5f07af74bd8cf3f
SHA152e078027ec57c6e63a35e463166f0213e898da1
SHA2566ffcb57ccb3c8e62239337b7953b235e71e649aa1e45549d43e23e6a8856c309
SHA5120cba92bcef35b18e15fd6bd871787b7bf7fae2008dc92e76d6262c21246a7f2e101c8891094f19b4295a7e0b0131d50c17065ca1d5241b47e4175e2d893e0ea6
-
Filesize
2.1MB
MD58ad4a980dd8ad537a9c8812f6d12999c
SHA102b58b6102f8ca26d91d599456486702116bbcd0
SHA2566fe028e41e2ed2676a409aa519a1a8ab781ce94d525d2b3c1fc368f8d0eda043
SHA51260548bd63ddb3505be5000c08c3926b64ecdee580e686b4d702d8c987776b8950bc4577b66c592fdd8e38fc0abdce30a8c5b8821765a9efd98e0ee215448e1d7
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\MicrosoftEdgeWebview_X64_132.0.2957.140.exe
Filesize1.9MB
MD55de2e58bd803da2ffe98a7d3103e5078
SHA1d9c1287445bc58049d02a08a2becf91cfecd3f5b
SHA256d6a33ca996c1abcf5e411d2ee4b51a0f51d60802f9dfcfffff8ae9d9886c236d
SHA512858decf253a34df1e15088f45c8175d76dd1d946ae3d05e0b7f71e5e9154f630974916543ef032ad326fcf048fd5836d34aac7ecde94ecb6943b64158c669d7a
-
Filesize
2.3MB
MD521af8fd7255e50b7bf01f76bb2edf240
SHA1c156aafe73464a350fbc79a6aefc4d6e215a4944
SHA25626affc9e3067c3e66f13e8ab9ca214272ed5a1eb3b44c2a9b0f5269aa6c77f97
SHA5125a7b13391775f49cd4b3ea2c112cd38fa8dbf9c1f6459ccd52dc0f23d80abae307726c20bebf6866fa752e4d1d025bd5816e9ff34845390b8babceb5a6ba1682
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$
Filesize1.8MB
MD521077340709c3aa85d347010ef30ae2f
SHA11c6e9e16b8daaa1a90c2712f2ec735ce70b72de0
SHA25629b433662b0b20b6bcae1b6ab9ddffeeccdf2f2980cd5f31e364ef9b9ca0b109
SHA512e52e1f4755f2d5328dabd45284788bcc9a01f8e9819a5a3c3d19d1e853933a47477689b588cd18804211d9e21b5ada08664d31e19f72c2b7aa44b7e6e888acbf