Analysis
-
max time kernel
114s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:15
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.3MB
-
MD5
614153dad6bc03a96eb46e72ea0d5b75
-
SHA1
05b9166159f852630be9c8df63868372b7028542
-
SHA256
cb688c9290277104865f42be22abf2f63dc7556df874f338a6b123e8eb6661fd
-
SHA512
db3323b377f01a6981fff9b563a93ce1db0573e1974f817078e97545b24492e3c223773ce33b70b273f34b8c99f48ee9ebe9a246f2522143e59809f75bf57456
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2T:oGeGO+njdzOvljv92
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 352 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateBroker.exe patcher.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe patcher.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe$ patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe$ patcher.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe$ patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\cookie_exporter.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\msoev.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86296\javaws.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\elevation_service.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Google\Chrome\Application\chrome.exe patcher.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5948 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 352 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 440 wrote to memory of 352 440 cmd.exe 89 PID 440 wrote to memory of 352 440 cmd.exe 89 PID 440 wrote to memory of 352 440 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:5948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:352
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5614153dad6bc03a96eb46e72ea0d5b75
SHA105b9166159f852630be9c8df63868372b7028542
SHA256cb688c9290277104865f42be22abf2f63dc7556df874f338a6b123e8eb6661fd
SHA512db3323b377f01a6981fff9b563a93ce1db0573e1974f817078e97545b24492e3c223773ce33b70b273f34b8c99f48ee9ebe9a246f2522143e59809f75bf57456
-
Filesize
1.6MB
MD5e8b5bd69db003d30bf6f219858012680
SHA10739b15e0f76c507fd6ab714426f2a69cfd0f85a
SHA256ff89a84f8117616c198afef00e490e51f9e88d5714688e83c59b3463ddf8d412
SHA51291003c008d03b123548880a64e81b85e715b0c4372eaa3e423ade8995bff1782f0e4702bddab8644145a1922fcc4f8125aaa4ba4dd81a51972f4d0a00e0fe339
-
Filesize
1.4MB
MD58523e7a9144ffbe02efff44c9ae4f3d8
SHA16ab9098f5e687fd1af1aec6559b76bfa5f817328
SHA256d45a3a7556e95cf5aa8c2408931221d29b1066977793551c1133362c6f8608bb
SHA512c0f8633dde607d7cd42916748458005a849c0b9c7cb052ef0ce7b7ae1102701509e9805ca960b066e712a72c64aa31c8461ac69bceb70bd482c9cc0bc26bc0e9
-
Filesize
1.8MB
MD5f95912fb8ca8f66f30bc751da876f1a7
SHA180603c4f79c0e526ee89e2b4e5e4cc8a2100a53a
SHA25611711262c1b9fb08cb98c18fc2ccc9f343a73e81573952fa7a3ca294d9e80e17
SHA512d2146f9600d619441fe8233e126a0cc8f0cf843dd8ad4b5e0e736fa84ca15b750317c893d292d3b97be2e38dfd37b1368f0353575f7d53bc95d4ab8f99ccb7bb
-
Filesize
1.4MB
MD5bb2d3518128232223c9d47148705fb8d
SHA1f56d6da0c690749155ad366382d67d0a916e452a
SHA256db98d5b151191a0b10288a573bac3efb306182ba8b2df370881ae37979d93798
SHA5124a8f6b2f2f58ea595018d426c6eb383cccfbd3523e77d4a1827e522f584ceca8147c12d7a7cd91da493927ec6ab61e0ab1893a5c0cb1de6786477a458dd6cc78
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe$
Filesize1.4MB
MD5f27d0da088fcc20719fc9e49bce0b905
SHA137a85f478675d4bf5af5d22223bcb29c7526bd9a
SHA256ab052ea0d1e9ed838e657dde9ad456c907310d0492a0b3ce4bab8dbe1997f808
SHA5121b9acc932123385b2bfecf9215c4c9f2b36afa996d898b1cf634746efd5c4be748dfa00825a5f46a9ee5ebfcfbfd68677a55ebf225827ebd37a4241e27d5fd50