Analysis
-
max time kernel
77s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:13
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250610-en
General
-
Target
2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.4MB
-
MD5
5253f80680a0966e9548d7cf95b5b5c4
-
SHA1
20d74b053bb8dc68fcb05563f1a9c1f36ebd1232
-
SHA256
06ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7
-
SHA512
b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk26KY0TXz:oGeGO+njdzOvljv92y0Tj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5216 patcher.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe$ patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe patcher.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE$ patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\7-Zip\Uninstall.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe patcher.exe File created C:\Program Files\VideoLAN\VLC\vlc.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe$ patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\nmhproxy.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE$ patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4100 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 5216 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1236 wrote to memory of 5216 1236 cmd.exe 86 PID 1236 wrote to memory of 5216 1236 cmd.exe 86 PID 1236 wrote to memory of 5216 1236 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5216
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD55253f80680a0966e9548d7cf95b5b5c4
SHA120d74b053bb8dc68fcb05563f1a9c1f36ebd1232
SHA25606ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7
SHA512b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad
-
Filesize
1.6MB
MD52e00fb4e11dfa8d7646c100f6861ef6c
SHA1827a34a276fcd853b752c9920ade0fedb3eaa466
SHA2560bba7bbaf9f7bcc5e1e47861fe4d2e67f78ba5138a6514a3ca86d05e1e2a03cf
SHA5120dbee7a6ff9d4ca0955e3b7cae5890bf68e064940e2ffc606320767d23220864e3b8c7b85e4f49880454d4c50bb5ce4ebbdfdadcd9e594db10cfc20f57cc64ae
-
Filesize
1.5MB
MD5b6f7d098c817059a2a968ec14d166098
SHA1c013fbbe893eda87d5c629aea688200140a0b5e8
SHA256e913cd28d6fc2faa18dbd4c959db093700d669f3099b4731947dd09503d83813
SHA5120dfeedfbe92e04ebba266396b55cb7b58e2cb6700b5b846848b877a8a10eb9f86addf0e18056b7a61e2fcd0bcf1c3b3e39ff9c9dd20faa7ae853a9abf9b7d7ec
-
Filesize
1.9MB
MD5b0270b8614e645872c933e0865502ba0
SHA1a5ccd773220a84b34ee9e25d853b374cfbb0ccb7
SHA256255f9cdf8a15d08dcb4ecbfd6d9103d71debf118c5902993864ccb3aa36412fa
SHA5121f88569da608f18ced492df1f75b5d773b9627ffb9a7ee90992f32351add15f4c49e1dfcbb0bc84a22c1cf5d1244b104b223dff74dc7e65316d478e8a909c827
-
Filesize
1.5MB
MD521ff3bbe993c594f1b33e41c52a6c9b4
SHA1ee2a9a3a2cf07d025d9e5c67ddb3cebb09295001
SHA2561057fa462cd6a939fd3a5a062c495a4c408f6801e73f33e4948f1930b7595fce
SHA5121dff09fed010b9fad795694e59ea365f83f2d71ebb685b83b167a133a26d7e85d2a94e41886a2779980bbfebefeab08573d37b2cf8142433e0002318b4bacdd5
-
Filesize
1.4MB
MD5dca2781ea20ba661e9ffe74824b9a743
SHA12f678da436f4538b8594824aecacafe74f41fb66
SHA256f06285ea3b1a92ef220c9bdd5a846f9fae7babfa46cf2270dc4118cca7e7e549
SHA5128f4cabb4201c2d9cc5919298aa6b19ec40a25ea647e6ace94073398ef6162ec8bac1b7d900b52e1a9d60fd7ee0756af50e4c09c3e87ae1de251177e7279eb4ea
-
Filesize
1.9MB
MD5c6d24019b33ace88abb086b07cb322ea
SHA16d754003889b0a8c7eb72c8b2e64078908d4250d
SHA2562828320f6a29e8e8ecbace4ed060fd259f77aaf7883e43524edb3e7dc81f1161
SHA512f2b6a2dccacbb741c44b9be34f8bb0a241eead9a4097293c831c3fadca36164f1c756a727d3990a35f4261ba62731c327869c1b9508906cb98d2b3854771d62c
-
Filesize
1.9MB
MD56cabd9ba06b333d145c91c44b3f42557
SHA1b483b6cb35c6d915a57963c8b6ff3514193a7428
SHA2569fff3278eeff628fad43fda97dec40523781d013d269f530e13ed2400a27ceff
SHA5121be4a74f7811edf7e8434b6502b1b4070deb16f3e0b7dffdb0ece3b1b8dc601d7602aafb199591943438a182dca3064636047ae0742af3f16a305213ffa34ff3
-
Filesize
1.5MB
MD5abc22efad8b836f080f606004bd4ddf2
SHA12146661ddc263473ec7861bc51ea11b01edfab2f
SHA2567145edc466c893789904636f602fdeb8ecff1ef02691d58f84f7144097f867db
SHA512e48a50e352cb76d345c69e6bf9ed9f5355dcff8e31cff297f293cb03730fadd35adbaf919d88bc32d094a5c0de31c3f2eda2e33ba82f24ed0b37b73b3996d039