Analysis

  • max time kernel
    112s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:08

General

  • Target

    2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

  • Size

    1.8MB

  • MD5

    aa8bba91f5fa7f19b5f07af74bd8cf3f

  • SHA1

    52e078027ec57c6e63a35e463166f0213e898da1

  • SHA256

    6ffcb57ccb3c8e62239337b7953b235e71e649aa1e45549d43e23e6a8856c309

  • SHA512

    0cba92bcef35b18e15fd6bd871787b7bf7fae2008dc92e76d6262c21246a7f2e101c8891094f19b4295a7e0b0131d50c17065ca1d5241b47e4175e2d893e0ea6

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2TSi1SoCU5qJSr1eWPSCsP0MY:oGeGO+njdzOvljv92DS7PLjeT

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:4232
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3344

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.8MB

          MD5

          aa8bba91f5fa7f19b5f07af74bd8cf3f

          SHA1

          52e078027ec57c6e63a35e463166f0213e898da1

          SHA256

          6ffcb57ccb3c8e62239337b7953b235e71e649aa1e45549d43e23e6a8856c309

          SHA512

          0cba92bcef35b18e15fd6bd871787b7bf7fae2008dc92e76d6262c21246a7f2e101c8891094f19b4295a7e0b0131d50c17065ca1d5241b47e4175e2d893e0ea6

        • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe$

          Filesize

          1.9MB

          MD5

          e537b3da77ae248295811c1682f5b71b

          SHA1

          cfb7016f20ff7fc41a3a6ea9ae86345131855362

          SHA256

          ac91cf38cca228c2137d86a7c338ff87c91193e66e1f2b06bd0bb1fc9177c616

          SHA512

          26bcdea63073f057a5446529b5d7907bcf039a50fa178d9710063f256eb44a77c25dabd1b7d919eca2ddead27674e32fbb3e5e41ea578c3c6b7f4ad8cf829fc9

        • C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\MicrosoftEdgeWebview_X64_132.0.2957.140.exe$

          Filesize

          1.9MB

          MD5

          5de2e58bd803da2ffe98a7d3103e5078

          SHA1

          d9c1287445bc58049d02a08a2becf91cfecd3f5b

          SHA256

          d6a33ca996c1abcf5e411d2ee4b51a0f51d60802f9dfcfffff8ae9d9886c236d

          SHA512

          858decf253a34df1e15088f45c8175d76dd1d946ae3d05e0b7f71e5e9154f630974916543ef032ad326fcf048fd5836d34aac7ecde94ecb6943b64158c669d7a

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          2.3MB

          MD5

          21af8fd7255e50b7bf01f76bb2edf240

          SHA1

          c156aafe73464a350fbc79a6aefc4d6e215a4944

          SHA256

          26affc9e3067c3e66f13e8ab9ca214272ed5a1eb3b44c2a9b0f5269aa6c77f97

          SHA512

          5a7b13391775f49cd4b3ea2c112cd38fa8dbf9c1f6459ccd52dc0f23d80abae307726c20bebf6866fa752e4d1d025bd5816e9ff34845390b8babceb5a6ba1682

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$

          Filesize

          1.8MB

          MD5

          21077340709c3aa85d347010ef30ae2f

          SHA1

          1c6e9e16b8daaa1a90c2712f2ec735ce70b72de0

          SHA256

          29b433662b0b20b6bcae1b6ab9ddffeeccdf2f2980cd5f31e364ef9b9ca0b109

          SHA512

          e52e1f4755f2d5328dabd45284788bcc9a01f8e9819a5a3c3d19d1e853933a47477689b588cd18804211d9e21b5ada08664d31e19f72c2b7aa44b7e6e888acbf

        • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe$

          Filesize

          2.0MB

          MD5

          5a1075f102e4b70ec765855cce292df3

          SHA1

          e27b2b517a51dbceac5956c18e7c8752ec0e4ac6

          SHA256

          56f26936cf146aecba5111880a303847ad807d3cffec716c016f02ba3bdaf1be

          SHA512

          0c916d70c28dc4bfa3758d2950044fba5040615e6b08330eb2b19b7ec77b52559cf9d77543dc29122ec80a535a329f0563530da7dc7ec19f32e133508eaf0db7

        • memory/3344-1555-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/4232-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/4232-1554-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB