Analysis
-
max time kernel
123s -
max time network
106s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:13
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250610-en
General
-
Target
2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.4MB
-
MD5
5253f80680a0966e9548d7cf95b5b5c4
-
SHA1
20d74b053bb8dc68fcb05563f1a9c1f36ebd1232
-
SHA256
06ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7
-
SHA512
b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk26KY0TXz:oGeGO+njdzOvljv92y0Tj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5356 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\bin\jps.exe patcher.exe File created C:\Program Files\Java\jre-1.8\bin\unpack200.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateBroker.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe$ patcher.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ie_to_edge_stub.exe$ patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdate.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe$ patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Cortana.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe$ patcher.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\PilotshubApp.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\elevated_tracing_service.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe$ patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jre-1.8\bin\tnameserv.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Todo.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE$ patcher.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe patcher.exe File created C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe patcher.exe File opened for modification C:\Program Files\7-Zip\7z.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_173546\javaws.exe$ 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ie_to_edge_stub.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\wsimport.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5292 2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 5356 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3592 wrote to memory of 5356 3592 cmd.exe 80 PID 3592 wrote to memory of 5356 3592 cmd.exe 80 PID 3592 wrote to memory of 5356 3592 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:5292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5356
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD55253f80680a0966e9548d7cf95b5b5c4
SHA120d74b053bb8dc68fcb05563f1a9c1f36ebd1232
SHA25606ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7
SHA512b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad
-
Filesize
2.1MB
MD52e0750bfcf10cfcfbc248d783ff0aba8
SHA1a7bc8d6b709e057000be3dd20812bcd9ba7ed8c1
SHA2562d47d748b55e878907a32b9a5185f54c17423ff892276aff86a33c0bef915690
SHA5122d2703c07182278caef813e5c42f03ce46d78f94f6aa8403efc400357897238da052a202cfdf1ea52267a3a000eb9154a57aa49fdb6cd61507e5908056dcea33
-
Filesize
1.5MB
MD541909cd292b08ece310f3cce91275af9
SHA1b0f0a164488261c2652d282ccb4c2b1ea8c32628
SHA256f558db2c13e097f8f7f528f087036957fd1364c8ba16a07e33afaeff652664b1
SHA51259c695643094a225e58760e8988c8c1f5e5aabc1cc02e533c7d2adf826ad3d6f3e9a4a3189c75de8992d38c4d2fa866a5f2111c750877ffc3d71437d48a32c8a
-
Filesize
1.5MB
MD5b6f7d098c817059a2a968ec14d166098
SHA1c013fbbe893eda87d5c629aea688200140a0b5e8
SHA256e913cd28d6fc2faa18dbd4c959db093700d669f3099b4731947dd09503d83813
SHA5120dfeedfbe92e04ebba266396b55cb7b58e2cb6700b5b846848b877a8a10eb9f86addf0e18056b7a61e2fcd0bcf1c3b3e39ff9c9dd20faa7ae853a9abf9b7d7ec
-
Filesize
1.9MB
MD5b0270b8614e645872c933e0865502ba0
SHA1a5ccd773220a84b34ee9e25d853b374cfbb0ccb7
SHA256255f9cdf8a15d08dcb4ecbfd6d9103d71debf118c5902993864ccb3aa36412fa
SHA5121f88569da608f18ced492df1f75b5d773b9627ffb9a7ee90992f32351add15f4c49e1dfcbb0bc84a22c1cf5d1244b104b223dff74dc7e65316d478e8a909c827
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe
Filesize1.5MB
MD5abc22efad8b836f080f606004bd4ddf2
SHA12146661ddc263473ec7861bc51ea11b01edfab2f
SHA2567145edc466c893789904636f602fdeb8ecff1ef02691d58f84f7144097f867db
SHA512e48a50e352cb76d345c69e6bf9ed9f5355dcff8e31cff297f293cb03730fadd35adbaf919d88bc32d094a5c0de31c3f2eda2e33ba82f24ed0b37b73b3996d039
-
Filesize
1.8MB
MD503cce3788923b7c22d674c605ee53900
SHA130f34757c96f5dc9ec95f7743905d37bd4093d33
SHA2569cdee110bd5384b35e9874ebe5c6253e58f3eb38bcd58b9fbfd7e6c611add3ea
SHA512a611d966db7c2b22f95ddf491ae86920626e574c7312e3c767ce653b0e38e363fc6bf801f2fd356fdce68e8f1099aac04f85c85c8884e34cf68757891a60c665