Analysis
-
max time kernel
127s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe
-
Size
1.3MB
-
MD5
43b4206a450ae2e6ca31f8cfc092e469
-
SHA1
686b1d9f5eddf3cb42e6aaef8d8dbfb7f5426be9
-
SHA256
341546d09a1e6bb9645d22fcdf85b0c3be08c4a4a0391de589c12d404750ab79
-
SHA512
6d6e494e34ac264fe1e88caaf9b5968a6466e6c43af434e6b1cda0ef60563b7a027d021d4e388e744bf94088fbfe33e93650062d0fb2f9421e0477019eb50a29
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2s:oGeGO+njdzOvljv92s
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4492 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File created C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File created C:\Program Files\Java\jdk-1.8\bin\javap.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE$ patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe patcher.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe$ patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\elevation_service.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File created C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\BHO\ie_to_edge_stub.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File created C:\Program Files\Java\jdk-1.8\bin\javaws.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_proxy.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe patcher.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe$ patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File created C:\Program Files\Java\jdk-1.8\bin\rmic.exe patcher.exe File created C:\Program Files\Mozilla Firefox\nmhproxy.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe patcher.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File created C:\Program Files\Java\jdk-1.8\bin\klist.exe patcher.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE$ 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5484 2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe 4492 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5784 wrote to memory of 4492 5784 cmd.exe 90 PID 5784 wrote to memory of 4492 5784 cmd.exe 90 PID 5784 wrote to memory of 4492 5784 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_43b4206a450ae2e6ca31f8cfc092e469_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rh.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:5484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5784 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4492
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD543b4206a450ae2e6ca31f8cfc092e469
SHA1686b1d9f5eddf3cb42e6aaef8d8dbfb7f5426be9
SHA256341546d09a1e6bb9645d22fcdf85b0c3be08c4a4a0391de589c12d404750ab79
SHA5126d6e494e34ac264fe1e88caaf9b5968a6466e6c43af434e6b1cda0ef60563b7a027d021d4e388e744bf94088fbfe33e93650062d0fb2f9421e0477019eb50a29
-
Filesize
1.6MB
MD5dfc66a5fd14d92dc07cb066226df197e
SHA13774b7eb10194688b8f8e061a201de995e0fe74c
SHA256555a24ddd523c13b09d58418b7ebf157b3569bd09d2a72d5b9916278d2d3d006
SHA512da5ef7a0f235ce38d80b92c2711e61f646ffe899b53b3802900beb4441073350b36d7f34ca198bdab683f2c4bfd0c70c5253d46c25ede4f18d742c7540752856
-
Filesize
1.7MB
MD5e6644a495e91294b0e32e4f04cc911e7
SHA120c0f56b6adbebf55a149d63374480ae997fd5f5
SHA25684f799a7a638df3413d1cbd3fd0d58e458a493942243c2b3df6aaf26a0839a6a
SHA512ba8a9f3e7f14364cc7640893eeb8f858f0ae5f21ed843a8182a2c4dc4968e2621294004b43586802e6df7164abad14d46dc4f10c5f1d382dc9563ea5ff454884
-
Filesize
1.4MB
MD5e66ab12ba339069d20139e481ee0b2e4
SHA1d6cf7299a0c94527fa118b48efc58a67cececcf7
SHA2565219b2b8af8593aa14a20eb224c5083c60982f3143882f62a6e32dd0ca106737
SHA512bb6247915d1592f9177403fa86e116b2ff834494947275198ac29777c3fd1bd3bea2929873d32071f29473cebc245534b8354515fcd6975b1106c676d55ffabc
-
Filesize
1.8MB
MD56e2cef7a7443fee3b865d443bd9b3afb
SHA1ac017ea8f9c2c3bda53f2471e717d260bed98783
SHA2563e51aa0301b4422cd009396f1ab93eac50e849db127e3142fe58aa46dc1a4102
SHA512b73c9c8a5ac452a05156e45ffead3ba50f96aad7bcda5992b3f00d7e219ae678ad1f01aedb5c4622e02ce71287a12fb4f950ed329a08dc4c2a5195ec22fd8f82
-
Filesize
1.4MB
MD5170690e6614c59b6e2ee93097d7cc7dc
SHA1f1e30c7245248185b1b627d64c9d4a32943a925e
SHA256f3f1de804931989e8bf2e1b812a9e37566c2ed603e93df96e23434bee8403989
SHA512f6d0475d7f6a7db35fbf0086394b8cff4d0803091ddfcf01889139c562f15c06378d4e830f0742f192db265ad6d23f5c52203fbdc14301e03437c1594a9fddf7
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe
Filesize1.3MB
MD5e10aa649adda15d923df0fd7e2a73490
SHA199d66999e594f32e496e79b3d2554e0f971b44e8
SHA256476da456fee5e0ac30e39ae6d47b5ba02d74b026559329fb6f33431efb4650c3
SHA5128a6431b557449c01f7d4eada3ee9d0fad1343389333ae78cbaddd58f779bc3aaf6a674668b7bc704492618ec3d163707d5909b4fc57fc97076eac1943e1375d7
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe
Filesize1.3MB
MD5d8ebcc90d830ef7b1983934b859060ab
SHA144fd131754b985f6d02eb87ebed23b2dd9ed1526
SHA25615785edf1450d18acb6f24f8f495213f1a824f3c3588ab446baf2602a69402f4
SHA5128989d8e406ee8cc43f2c12a571418265f7026e3c8a3846133535d67addf2dedb9e4a1092b500c7f66c6ea359a0da1f432a12f48139b7bf9e1251168a301930a6
-
Filesize
1.5MB
MD5e88acb1dc6cab8323ee168b92850b66d
SHA17519df4a502d9fb4dc0b9fd656740dccabad8ea2
SHA2567d985a87e7db0a63f073df1fc609c5ca332ef0d514933796dc0b07eb96aae6c1
SHA5128b929ce71309a98751115216e2466fbd340b5486a226973f4e8b6430e304cd29f60f216dc6be49364534a9c9855d796ffdafd110590194c50128c7d7bcca5956