Analysis

  • max time kernel
    77s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:13

General

  • Target

    2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

  • Size

    1.4MB

  • MD5

    5253f80680a0966e9548d7cf95b5b5c4

  • SHA1

    20d74b053bb8dc68fcb05563f1a9c1f36ebd1232

  • SHA256

    06ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7

  • SHA512

    b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk26KY0TXz:oGeGO+njdzOvljv92y0Tj

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:4100
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5216

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.4MB

          MD5

          5253f80680a0966e9548d7cf95b5b5c4

          SHA1

          20d74b053bb8dc68fcb05563f1a9c1f36ebd1232

          SHA256

          06ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7

          SHA512

          b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

          Filesize

          1.6MB

          MD5

          2e00fb4e11dfa8d7646c100f6861ef6c

          SHA1

          827a34a276fcd853b752c9920ade0fedb3eaa466

          SHA256

          0bba7bbaf9f7bcc5e1e47861fe4d2e67f78ba5138a6514a3ca86d05e1e2a03cf

          SHA512

          0dbee7a6ff9d4ca0955e3b7cae5890bf68e064940e2ffc606320767d23220864e3b8c7b85e4f49880454d4c50bb5ce4ebbdfdadcd9e594db10cfc20f57cc64ae

        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe

          Filesize

          1.5MB

          MD5

          b6f7d098c817059a2a968ec14d166098

          SHA1

          c013fbbe893eda87d5c629aea688200140a0b5e8

          SHA256

          e913cd28d6fc2faa18dbd4c959db093700d669f3099b4731947dd09503d83813

          SHA512

          0dfeedfbe92e04ebba266396b55cb7b58e2cb6700b5b846848b877a8a10eb9f86addf0e18056b7a61e2fcd0bcf1c3b3e39ff9c9dd20faa7ae853a9abf9b7d7ec

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.9MB

          MD5

          b0270b8614e645872c933e0865502ba0

          SHA1

          a5ccd773220a84b34ee9e25d853b374cfbb0ccb7

          SHA256

          255f9cdf8a15d08dcb4ecbfd6d9103d71debf118c5902993864ccb3aa36412fa

          SHA512

          1f88569da608f18ced492df1f75b5d773b9627ffb9a7ee90992f32351add15f4c49e1dfcbb0bc84a22c1cf5d1244b104b223dff74dc7e65316d478e8a909c827

        • C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

          Filesize

          1.5MB

          MD5

          21ff3bbe993c594f1b33e41c52a6c9b4

          SHA1

          ee2a9a3a2cf07d025d9e5c67ddb3cebb09295001

          SHA256

          1057fa462cd6a939fd3a5a062c495a4c408f6801e73f33e4948f1930b7595fce

          SHA512

          1dff09fed010b9fad795694e59ea365f83f2d71ebb685b83b167a133a26d7e85d2a94e41886a2779980bbfebefeab08573d37b2cf8142433e0002318b4bacdd5

        • C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe

          Filesize

          1.4MB

          MD5

          dca2781ea20ba661e9ffe74824b9a743

          SHA1

          2f678da436f4538b8594824aecacafe74f41fb66

          SHA256

          f06285ea3b1a92ef220c9bdd5a846f9fae7babfa46cf2270dc4118cca7e7e549

          SHA512

          8f4cabb4201c2d9cc5919298aa6b19ec40a25ea647e6ace94073398ef6162ec8bac1b7d900b52e1a9d60fd7ee0756af50e4c09c3e87ae1de251177e7279eb4ea

        • C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe$

          Filesize

          1.9MB

          MD5

          c6d24019b33ace88abb086b07cb322ea

          SHA1

          6d754003889b0a8c7eb72c8b2e64078908d4250d

          SHA256

          2828320f6a29e8e8ecbace4ed060fd259f77aaf7883e43524edb3e7dc81f1161

          SHA512

          f2b6a2dccacbb741c44b9be34f8bb0a241eead9a4097293c831c3fadca36164f1c756a727d3990a35f4261ba62731c327869c1b9508906cb98d2b3854771d62c

        • C:\Program Files\Microsoft Office\root\Integration\Integrator.exe$

          Filesize

          1.9MB

          MD5

          6cabd9ba06b333d145c91c44b3f42557

          SHA1

          b483b6cb35c6d915a57963c8b6ff3514193a7428

          SHA256

          9fff3278eeff628fad43fda97dec40523781d013d269f530e13ed2400a27ceff

          SHA512

          1be4a74f7811edf7e8434b6502b1b4070deb16f3e0b7dffdb0ece3b1b8dc601d7602aafb199591943438a182dca3064636047ae0742af3f16a305213ffa34ff3

        • C:\Program Files\Mozilla Firefox\uninstall\helper.exe$

          Filesize

          1.5MB

          MD5

          abc22efad8b836f080f606004bd4ddf2

          SHA1

          2146661ddc263473ec7861bc51ea11b01edfab2f

          SHA256

          7145edc466c893789904636f602fdeb8ecff1ef02691d58f84f7144097f867db

          SHA512

          e48a50e352cb76d345c69e6bf9ed9f5355dcff8e31cff297f293cb03730fadd35adbaf919d88bc32d094a5c0de31c3f2eda2e33ba82f24ed0b37b73b3996d039

        • memory/4100-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/4100-1718-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5216-1726-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5216-8-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB