Analysis

  • max time kernel
    127s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:10

General

  • Target

    2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe

  • Size

    1.3MB

  • MD5

    43b4206a450ae2e6ca31f8cfc092e469

  • SHA1

    686b1d9f5eddf3cb42e6aaef8d8dbfb7f5426be9

  • SHA256

    341546d09a1e6bb9645d22fcdf85b0c3be08c4a4a0391de589c12d404750ab79

  • SHA512

    6d6e494e34ac264fe1e88caaf9b5968a6466e6c43af434e6b1cda0ef60563b7a027d021d4e388e744bf94088fbfe33e93650062d0fb2f9421e0477019eb50a29

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2s:oGeGO+njdzOvljv92s

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:5484
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5784
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4492

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.3MB

          MD5

          43b4206a450ae2e6ca31f8cfc092e469

          SHA1

          686b1d9f5eddf3cb42e6aaef8d8dbfb7f5426be9

          SHA256

          341546d09a1e6bb9645d22fcdf85b0c3be08c4a4a0391de589c12d404750ab79

          SHA512

          6d6e494e34ac264fe1e88caaf9b5968a6466e6c43af434e6b1cda0ef60563b7a027d021d4e388e744bf94088fbfe33e93650062d0fb2f9421e0477019eb50a29

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe$

          Filesize

          1.6MB

          MD5

          dfc66a5fd14d92dc07cb066226df197e

          SHA1

          3774b7eb10194688b8f8e061a201de995e0fe74c

          SHA256

          555a24ddd523c13b09d58418b7ebf157b3569bd09d2a72d5b9916278d2d3d006

          SHA512

          da5ef7a0f235ce38d80b92c2711e61f646ffe899b53b3802900beb4441073350b36d7f34ca198bdab683f2c4bfd0c70c5253d46c25ede4f18d742c7540752856

        • C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe$

          Filesize

          1.7MB

          MD5

          e6644a495e91294b0e32e4f04cc911e7

          SHA1

          20c0f56b6adbebf55a149d63374480ae997fd5f5

          SHA256

          84f799a7a638df3413d1cbd3fd0d58e458a493942243c2b3df6aaf26a0839a6a

          SHA512

          ba8a9f3e7f14364cc7640893eeb8f858f0ae5f21ed843a8182a2c4dc4968e2621294004b43586802e6df7164abad14d46dc4f10c5f1d382dc9563ea5ff454884

        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe

          Filesize

          1.4MB

          MD5

          e66ab12ba339069d20139e481ee0b2e4

          SHA1

          d6cf7299a0c94527fa118b48efc58a67cececcf7

          SHA256

          5219b2b8af8593aa14a20eb224c5083c60982f3143882f62a6e32dd0ca106737

          SHA512

          bb6247915d1592f9177403fa86e116b2ff834494947275198ac29777c3fd1bd3bea2929873d32071f29473cebc245534b8354515fcd6975b1106c676d55ffabc

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.8MB

          MD5

          6e2cef7a7443fee3b865d443bd9b3afb

          SHA1

          ac017ea8f9c2c3bda53f2471e717d260bed98783

          SHA256

          3e51aa0301b4422cd009396f1ab93eac50e849db127e3142fe58aa46dc1a4102

          SHA512

          b73c9c8a5ac452a05156e45ffead3ba50f96aad7bcda5992b3f00d7e219ae678ad1f01aedb5c4622e02ce71287a12fb4f950ed329a08dc4c2a5195ec22fd8f82

        • C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

          Filesize

          1.4MB

          MD5

          170690e6614c59b6e2ee93097d7cc7dc

          SHA1

          f1e30c7245248185b1b627d64c9d4a32943a925e

          SHA256

          f3f1de804931989e8bf2e1b812a9e37566c2ed603e93df96e23434bee8403989

          SHA512

          f6d0475d7f6a7db35fbf0086394b8cff4d0803091ddfcf01889139c562f15c06378d4e830f0742f192db265ad6d23f5c52203fbdc14301e03437c1594a9fddf7

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe

          Filesize

          1.3MB

          MD5

          e10aa649adda15d923df0fd7e2a73490

          SHA1

          99d66999e594f32e496e79b3d2554e0f971b44e8

          SHA256

          476da456fee5e0ac30e39ae6d47b5ba02d74b026559329fb6f33431efb4650c3

          SHA512

          8a6431b557449c01f7d4eada3ee9d0fad1343389333ae78cbaddd58f779bc3aaf6a674668b7bc704492618ec3d163707d5909b4fc57fc97076eac1943e1375d7

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe

          Filesize

          1.3MB

          MD5

          d8ebcc90d830ef7b1983934b859060ab

          SHA1

          44fd131754b985f6d02eb87ebed23b2dd9ed1526

          SHA256

          15785edf1450d18acb6f24f8f495213f1a824f3c3588ab446baf2602a69402f4

          SHA512

          8989d8e406ee8cc43f2c12a571418265f7026e3c8a3846133535d67addf2dedb9e4a1092b500c7f66c6ea359a0da1f432a12f48139b7bf9e1251168a301930a6

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

          Filesize

          1.5MB

          MD5

          e88acb1dc6cab8323ee168b92850b66d

          SHA1

          7519df4a502d9fb4dc0b9fd656740dccabad8ea2

          SHA256

          7d985a87e7db0a63f073df1fc609c5ca332ef0d514933796dc0b07eb96aae6c1

          SHA512

          8b929ce71309a98751115216e2466fbd340b5486a226973f4e8b6430e304cd29f60f216dc6be49364534a9c9855d796ffdafd110590194c50128c7d7bcca5956

        • memory/4492-1572-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5484-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5484-1571-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB