Analysis

  • max time kernel
    123s
  • max time network
    106s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:13

General

  • Target

    2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

  • Size

    1.4MB

  • MD5

    5253f80680a0966e9548d7cf95b5b5c4

  • SHA1

    20d74b053bb8dc68fcb05563f1a9c1f36ebd1232

  • SHA256

    06ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7

  • SHA512

    b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk26KY0TXz:oGeGO+njdzOvljv92y0Tj

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_5253f80680a0966e9548d7cf95b5b5c4_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:5292
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5356

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.4MB

          MD5

          5253f80680a0966e9548d7cf95b5b5c4

          SHA1

          20d74b053bb8dc68fcb05563f1a9c1f36ebd1232

          SHA256

          06ddef792802aee16f8dbaea2ab84ee294a386cf3e8b76aae4c3efbe21461ed7

          SHA512

          b7f7606f70479f1d58b3f93c7ae7b5b7f40bd3a858fa66e7ba99703bcff8fcc4fff45eb3083eaf72c6569387bba579278725c82553a442a6795fc1b6f89296ad

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe$

          Filesize

          2.1MB

          MD5

          2e0750bfcf10cfcfbc248d783ff0aba8

          SHA1

          a7bc8d6b709e057000be3dd20812bcd9ba7ed8c1

          SHA256

          2d47d748b55e878907a32b9a5185f54c17423ff892276aff86a33c0bef915690

          SHA512

          2d2703c07182278caef813e5c42f03ce46d78f94f6aa8403efc400357897238da052a202cfdf1ea52267a3a000eb9154a57aa49fdb6cd61507e5908056dcea33

        • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe$

          Filesize

          1.5MB

          MD5

          41909cd292b08ece310f3cce91275af9

          SHA1

          b0f0a164488261c2652d282ccb4c2b1ea8c32628

          SHA256

          f558db2c13e097f8f7f528f087036957fd1364c8ba16a07e33afaeff652664b1

          SHA512

          59c695643094a225e58760e8988c8c1f5e5aabc1cc02e533c7d2adf826ad3d6f3e9a4a3189c75de8992d38c4d2fa866a5f2111c750877ffc3d71437d48a32c8a

        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe

          Filesize

          1.5MB

          MD5

          b6f7d098c817059a2a968ec14d166098

          SHA1

          c013fbbe893eda87d5c629aea688200140a0b5e8

          SHA256

          e913cd28d6fc2faa18dbd4c959db093700d669f3099b4731947dd09503d83813

          SHA512

          0dfeedfbe92e04ebba266396b55cb7b58e2cb6700b5b846848b877a8a10eb9f86addf0e18056b7a61e2fcd0bcf1c3b3e39ff9c9dd20faa7ae853a9abf9b7d7ec

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.9MB

          MD5

          b0270b8614e645872c933e0865502ba0

          SHA1

          a5ccd773220a84b34ee9e25d853b374cfbb0ccb7

          SHA256

          255f9cdf8a15d08dcb4ecbfd6d9103d71debf118c5902993864ccb3aa36412fa

          SHA512

          1f88569da608f18ced492df1f75b5d773b9627ffb9a7ee90992f32351add15f4c49e1dfcbb0bc84a22c1cf5d1244b104b223dff74dc7e65316d478e8a909c827

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe

          Filesize

          1.5MB

          MD5

          abc22efad8b836f080f606004bd4ddf2

          SHA1

          2146661ddc263473ec7861bc51ea11b01edfab2f

          SHA256

          7145edc466c893789904636f602fdeb8ecff1ef02691d58f84f7144097f867db

          SHA512

          e48a50e352cb76d345c69e6bf9ed9f5355dcff8e31cff297f293cb03730fadd35adbaf919d88bc32d094a5c0de31c3f2eda2e33ba82f24ed0b37b73b3996d039

        • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe$

          Filesize

          1.8MB

          MD5

          03cce3788923b7c22d674c605ee53900

          SHA1

          30f34757c96f5dc9ec95f7743905d37bd4093d33

          SHA256

          9cdee110bd5384b35e9874ebe5c6253e58f3eb38bcd58b9fbfd7e6c611add3ea

          SHA512

          a611d966db7c2b22f95ddf491ae86920626e574c7312e3c767ce653b0e38e363fc6bf801f2fd356fdce68e8f1099aac04f85c85c8884e34cf68757891a60c665

        • memory/5292-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5292-1565-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5356-8-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5356-1566-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB