Analysis
-
max time kernel
110s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:15
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.3MB
-
MD5
614153dad6bc03a96eb46e72ea0d5b75
-
SHA1
05b9166159f852630be9c8df63868372b7028542
-
SHA256
cb688c9290277104865f42be22abf2f63dc7556df874f338a6b123e8eb6661fd
-
SHA512
db3323b377f01a6981fff9b563a93ce1db0573e1974f817078e97545b24492e3c223773ce33b70b273f34b8c99f48ee9ebe9a246f2522143e59809f75bf57456
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2T:oGeGO+njdzOvljv92
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5640 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe patcher.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\pwahelper.exe patcher.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe patcher.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\ie_to_edge_stub.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE$ patcher.exe File opened for modification C:\Program Files\Windows Mail\wab.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\klist.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_pwa_launcher.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jre-1.8\bin\kinit.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe$ patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\nmhproxy.exe$ patcher.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe$ patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\TerminalAzBridge.exe patcher.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_proxy.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe$ patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe$ 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 424 2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 5640 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4796 wrote to memory of 5640 4796 cmd.exe 80 PID 4796 wrote to memory of 5640 4796 cmd.exe 80 PID 4796 wrote to memory of 5640 4796 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_614153dad6bc03a96eb46e72ea0d5b75_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5640
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5614153dad6bc03a96eb46e72ea0d5b75
SHA105b9166159f852630be9c8df63868372b7028542
SHA256cb688c9290277104865f42be22abf2f63dc7556df874f338a6b123e8eb6661fd
SHA512db3323b377f01a6981fff9b563a93ce1db0573e1974f817078e97545b24492e3c223773ce33b70b273f34b8c99f48ee9ebe9a246f2522143e59809f75bf57456
-
Filesize
1.4MB
MD58523e7a9144ffbe02efff44c9ae4f3d8
SHA16ab9098f5e687fd1af1aec6559b76bfa5f817328
SHA256d45a3a7556e95cf5aa8c2408931221d29b1066977793551c1133362c6f8608bb
SHA512c0f8633dde607d7cd42916748458005a849c0b9c7cb052ef0ce7b7ae1102701509e9805ca960b066e712a72c64aa31c8461ac69bceb70bd482c9cc0bc26bc0e9
-
Filesize
1.8MB
MD5f95912fb8ca8f66f30bc751da876f1a7
SHA180603c4f79c0e526ee89e2b4e5e4cc8a2100a53a
SHA25611711262c1b9fb08cb98c18fc2ccc9f343a73e81573952fa7a3ca294d9e80e17
SHA512d2146f9600d619441fe8233e126a0cc8f0cf843dd8ad4b5e0e736fa84ca15b750317c893d292d3b97be2e38dfd37b1368f0353575f7d53bc95d4ab8f99ccb7bb
-
Filesize
1.9MB
MD557f1d04303d3a8f9f34fe4ea103d8d75
SHA1f2e498169ee362d09f25326d605113517c135ef8
SHA25621ec83741ad4c21204699c357f09d729cefa27b333c738d0c4a8d5223b301831
SHA512c3aa74dbffd5604c9fdb4d951045f3eb3f45de842c9470328442e96af69c59d78c777e6434599167b310235d0125b5b60bea8b5137e70d3e0b73a5a1088d252e
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe
Filesize1.4MB
MD5f27d0da088fcc20719fc9e49bce0b905
SHA137a85f478675d4bf5af5d22223bcb29c7526bd9a
SHA256ab052ea0d1e9ed838e657dde9ad456c907310d0492a0b3ce4bab8dbe1997f808
SHA5121b9acc932123385b2bfecf9215c4c9f2b36afa996d898b1cf634746efd5c4be748dfa00825a5f46a9ee5ebfcfbfd68677a55ebf225827ebd37a4241e27d5fd50
-
Filesize
1.7MB
MD5b79ce0cfde1d1feb6e229f64cf6dfb81
SHA1195dea101c71f29dbea9249dc3f17ba9d05e83d5
SHA2569ab81db48f6a2e1b07d3843ea1b530f58ce50793c6ea8ee18ae0de65c43df2c1
SHA5128e5860f40ea3b814652ce8a7fb5569736e9a4d2df37c48265669c435336d19cda2e7ab068cf0dd3c40d14cfeb86dc9a6f9ba3858afccd753c9eb583d703cd6c9
-
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe$
Filesize1.5MB
MD53db1a78bea3ded0da508ff96aec13d7b
SHA14cb7147778bec80bdf784596722966c4e30d2cf3
SHA2564f2d6a97493c51af5e701cc1431ac34ce767c36d75520de220f86c7b4e98ac9f
SHA512090ab9fdd0063ee12aadf290107070f09bcf64f8251e23114053cb040f8fa27fa572dcde1624f97d764f6435489ba9342bd9c7ac20df55437ac22f74a06e9b6f