Analysis

  • max time kernel
    80s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:18

General

  • Target

    2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

  • Size

    1.3MB

  • MD5

    8f09effb3c6427dae90e629653ddcd4f

  • SHA1

    8b018f7645045712327f4993938680f6e2e99c75

  • SHA256

    518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54

  • SHA512

    ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk22:oGeGO+njdzOvljv92

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:352
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3520

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.3MB

          MD5

          8f09effb3c6427dae90e629653ddcd4f

          SHA1

          8b018f7645045712327f4993938680f6e2e99c75

          SHA256

          518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54

          SHA512

          ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7

        • C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\MicrosoftEdgeWebview_X64_132.0.2957.140.exe$

          Filesize

          1.4MB

          MD5

          5d4467cfba0c674d5e4ace47544f2e14

          SHA1

          f3a843a4cf99c60d822bf5926d3976ecea11f873

          SHA256

          495b199bac8b7acb33df60ce2cc3a3bbfdbc94ce244696600231660b4775eae4

          SHA512

          daed64338ec0f90014b7af7c783965ed4b2b4e371a123fe51a5f372c5a2c6e4df06c87ef3d50cb98f3176f8ef7c70359872ed0d31ca6796bd07718a3162eccac

        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

          Filesize

          1.4MB

          MD5

          163e3058e16761df079982d7ead6cc62

          SHA1

          e569e2912142b4c78ba93d329f5991fd3d7eea07

          SHA256

          a29f6d8a809be1595c5b3300f191b34005fc14ad4bce62bae88878e681db6507

          SHA512

          c11a1532bc9ba4f7efca7d958814e8fd7e9042461e57296193be4f063c747291c321feb4da45582bfeda1214b6fb2f3b74ca79d96c641653009e0293d6e96c3e

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.8MB

          MD5

          52236bc058fbdf1d3c3025bdc87332d2

          SHA1

          09403a596a5f5c5c5e9b881ecad2dd1449d5d89c

          SHA256

          007d8bd9e7ebf28635afafce70bec8bb835f64187b5ed308ab1e7b595400b741

          SHA512

          f63f4b52cb27190a9c490414a9b9dcd81fcb7285fe28ab70a50c1fdf7017e66acebae32bcee8255ace9cebf3ee5c4aecce29e5433491062f69ddd4c0ee2056b6

        • C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

          Filesize

          1.4MB

          MD5

          9777d461006ade0fcd7190213de19026

          SHA1

          14ae5b326d871fb49bf98104fd4ba0c96433cc4a

          SHA256

          377f17c5b091059a5bd9bc9066353cb6b3a94db3dec11ffa6d6880205b1c792e

          SHA512

          589af044c47f411d413bc0fba73a5be3e6752e0c4ffdf59c4921f98038dc3c60906d2c3175995cfc88714d00cefc555223722bb5f152c45ac3f97d7acd6d34ce

        • C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe

          Filesize

          1.4MB

          MD5

          1a7e962703c0bbb7baf702853685b3f0

          SHA1

          d92ffccd374abbb43247e86a6f9bf4f84ded58f5

          SHA256

          0eb95be539ebeee1df009393a5dd3a2a320bd09b9a2967ad538ba071b6715f91

          SHA512

          de184a2aa6086190252820ff92bb09baf0d083fc87a05a2af9f27a5d673213fcba1498874f540cb4bdb5b6d09d52629ea46f7ba2ba6bdefd0d399cc796136152

        • memory/352-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/352-1677-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/3520-1713-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB