Analysis

  • max time kernel
    110s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:15

General

  • Target

    2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

  • Size

    1.3MB

  • MD5

    614153dad6bc03a96eb46e72ea0d5b75

  • SHA1

    05b9166159f852630be9c8df63868372b7028542

  • SHA256

    cb688c9290277104865f42be22abf2f63dc7556df874f338a6b123e8eb6661fd

  • SHA512

    db3323b377f01a6981fff9b563a93ce1db0573e1974f817078e97545b24492e3c223773ce33b70b273f34b8c99f48ee9ebe9a246f2522143e59809f75bf57456

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2T:oGeGO+njdzOvljv92

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:424
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5640

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.3MB

          MD5

          614153dad6bc03a96eb46e72ea0d5b75

          SHA1

          05b9166159f852630be9c8df63868372b7028542

          SHA256

          cb688c9290277104865f42be22abf2f63dc7556df874f338a6b123e8eb6661fd

          SHA512

          db3323b377f01a6981fff9b563a93ce1db0573e1974f817078e97545b24492e3c223773ce33b70b273f34b8c99f48ee9ebe9a246f2522143e59809f75bf57456

        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge.exe

          Filesize

          1.4MB

          MD5

          8523e7a9144ffbe02efff44c9ae4f3d8

          SHA1

          6ab9098f5e687fd1af1aec6559b76bfa5f817328

          SHA256

          d45a3a7556e95cf5aa8c2408931221d29b1066977793551c1133362c6f8608bb

          SHA512

          c0f8633dde607d7cd42916748458005a849c0b9c7cb052ef0ce7b7ae1102701509e9805ca960b066e712a72c64aa31c8461ac69bceb70bd482c9cc0bc26bc0e9

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.8MB

          MD5

          f95912fb8ca8f66f30bc751da876f1a7

          SHA1

          80603c4f79c0e526ee89e2b4e5e4cc8a2100a53a

          SHA256

          11711262c1b9fb08cb98c18fc2ccc9f343a73e81573952fa7a3ca294d9e80e17

          SHA512

          d2146f9600d619441fe8233e126a0cc8f0cf843dd8ad4b5e0e736fa84ca15b750317c893d292d3b97be2e38dfd37b1368f0353575f7d53bc95d4ab8f99ccb7bb

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE$

          Filesize

          1.9MB

          MD5

          57f1d04303d3a8f9f34fe4ea103d8d75

          SHA1

          f2e498169ee362d09f25326d605113517c135ef8

          SHA256

          21ec83741ad4c21204699c357f09d729cefa27b333c738d0c4a8d5223b301831

          SHA512

          c3aa74dbffd5604c9fdb4d951045f3eb3f45de842c9470328442e96af69c59d78c777e6434599167b310235d0125b5b60bea8b5137e70d3e0b73a5a1088d252e

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

          Filesize

          1.4MB

          MD5

          f27d0da088fcc20719fc9e49bce0b905

          SHA1

          37a85f478675d4bf5af5d22223bcb29c7526bd9a

          SHA256

          ab052ea0d1e9ed838e657dde9ad456c907310d0492a0b3ce4bab8dbe1997f808

          SHA512

          1b9acc932123385b2bfecf9215c4c9f2b36afa996d898b1cf634746efd5c4be748dfa00825a5f46a9ee5ebfcfbfd68677a55ebf225827ebd37a4241e27d5fd50

        • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe$

          Filesize

          1.7MB

          MD5

          b79ce0cfde1d1feb6e229f64cf6dfb81

          SHA1

          195dea101c71f29dbea9249dc3f17ba9d05e83d5

          SHA256

          9ab81db48f6a2e1b07d3843ea1b530f58ce50793c6ea8ee18ae0de65c43df2c1

          SHA512

          8e5860f40ea3b814652ce8a7fb5569736e9a4d2df37c48265669c435336d19cda2e7ab068cf0dd3c40d14cfeb86dc9a6f9ba3858afccd753c9eb583d703cd6c9

        • C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe$

          Filesize

          1.5MB

          MD5

          3db1a78bea3ded0da508ff96aec13d7b

          SHA1

          4cb7147778bec80bdf784596722966c4e30d2cf3

          SHA256

          4f2d6a97493c51af5e701cc1431ac34ce767c36d75520de220f86c7b4e98ac9f

          SHA512

          090ab9fdd0063ee12aadf290107070f09bcf64f8251e23114053cb040f8fa27fa572dcde1624f97d764f6435489ba9342bd9c7ac20df55437ac22f74a06e9b6f

        • memory/424-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/424-1553-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5640-1575-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB