Analysis
-
max time kernel
112s -
max time network
105s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.8MB
-
MD5
aa8bba91f5fa7f19b5f07af74bd8cf3f
-
SHA1
52e078027ec57c6e63a35e463166f0213e898da1
-
SHA256
6ffcb57ccb3c8e62239337b7953b235e71e649aa1e45549d43e23e6a8856c309
-
SHA512
0cba92bcef35b18e15fd6bd871787b7bf7fae2008dc92e76d6262c21246a7f2e101c8891094f19b4295a7e0b0131d50c17065ca1d5241b47e4175e2d893e0ea6
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2TSi1SoCU5qJSr1eWPSCsP0MY:oGeGO+njdzOvljv92DS7PLjeT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3344 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ie_to_edge_stub.exe patcher.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_helper.exe patcher.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe$ patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_helper.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ie_to_edge_stub.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe$ patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\ie_to_edge_stub.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE patcher.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\pwahelper.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\133.0.3065.69\MicrosoftEdge_X64_133.0.3065.69.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Todo.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE patcher.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\WindowsCamera.exe patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\MicrosoftEdgeUpdate.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe$ 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\klist.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\XboxStub.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe$ patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\TerminalAzBridge.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\TerminalAzBridge.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\cookie_exporter.exe 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4232 2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 3344 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 780 wrote to memory of 3344 780 cmd.exe 83 PID 780 wrote to memory of 3344 780 cmd.exe 83 PID 780 wrote to memory of 3344 780 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_aa8bba91f5fa7f19b5f07af74bd8cf3f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4232
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3344
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5aa8bba91f5fa7f19b5f07af74bd8cf3f
SHA152e078027ec57c6e63a35e463166f0213e898da1
SHA2566ffcb57ccb3c8e62239337b7953b235e71e649aa1e45549d43e23e6a8856c309
SHA5120cba92bcef35b18e15fd6bd871787b7bf7fae2008dc92e76d6262c21246a7f2e101c8891094f19b4295a7e0b0131d50c17065ca1d5241b47e4175e2d893e0ea6
-
Filesize
1.9MB
MD5e537b3da77ae248295811c1682f5b71b
SHA1cfb7016f20ff7fc41a3a6ea9ae86345131855362
SHA256ac91cf38cca228c2137d86a7c338ff87c91193e66e1f2b06bd0bb1fc9177c616
SHA51226bcdea63073f057a5446529b5d7907bcf039a50fa178d9710063f256eb44a77c25dabd1b7d919eca2ddead27674e32fbb3e5e41ea578c3c6b7f4ad8cf829fc9
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\MicrosoftEdgeWebview_X64_132.0.2957.140.exe$
Filesize1.9MB
MD55de2e58bd803da2ffe98a7d3103e5078
SHA1d9c1287445bc58049d02a08a2becf91cfecd3f5b
SHA256d6a33ca996c1abcf5e411d2ee4b51a0f51d60802f9dfcfffff8ae9d9886c236d
SHA512858decf253a34df1e15088f45c8175d76dd1d946ae3d05e0b7f71e5e9154f630974916543ef032ad326fcf048fd5836d34aac7ecde94ecb6943b64158c669d7a
-
Filesize
2.3MB
MD521af8fd7255e50b7bf01f76bb2edf240
SHA1c156aafe73464a350fbc79a6aefc4d6e215a4944
SHA25626affc9e3067c3e66f13e8ab9ca214272ed5a1eb3b44c2a9b0f5269aa6c77f97
SHA5125a7b13391775f49cd4b3ea2c112cd38fa8dbf9c1f6459ccd52dc0f23d80abae307726c20bebf6866fa752e4d1d025bd5816e9ff34845390b8babceb5a6ba1682
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$
Filesize1.8MB
MD521077340709c3aa85d347010ef30ae2f
SHA11c6e9e16b8daaa1a90c2712f2ec735ce70b72de0
SHA25629b433662b0b20b6bcae1b6ab9ddffeeccdf2f2980cd5f31e364ef9b9ca0b109
SHA512e52e1f4755f2d5328dabd45284788bcc9a01f8e9819a5a3c3d19d1e853933a47477689b588cd18804211d9e21b5ada08664d31e19f72c2b7aa44b7e6e888acbf
-
Filesize
2.0MB
MD55a1075f102e4b70ec765855cce292df3
SHA1e27b2b517a51dbceac5956c18e7c8752ec0e4ac6
SHA25656f26936cf146aecba5111880a303847ad807d3cffec716c016f02ba3bdaf1be
SHA5120c916d70c28dc4bfa3758d2950044fba5040615e6b08330eb2b19b7ec77b52559cf9d77543dc29122ec80a535a329f0563530da7dc7ec19f32e133508eaf0db7