Analysis
-
max time kernel
80s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250610-en
General
-
Target
2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.3MB
-
MD5
8f09effb3c6427dae90e629653ddcd4f
-
SHA1
8b018f7645045712327f4993938680f6e2e99c75
-
SHA256
518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54
-
SHA512
ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk22:oGeGO+njdzOvljv92
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3520 patcher.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\7-Zip\7z.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe$ patcher.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\ReadResume.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe$ patcher.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe patcher.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE$ patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe patcher.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe patcher.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\klist.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe patcher.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe$ patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE patcher.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe$ patcher.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 352 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 3520 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2636 wrote to memory of 3520 2636 cmd.exe 88 PID 2636 wrote to memory of 3520 2636 cmd.exe 88 PID 2636 wrote to memory of 3520 2636 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3520
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD58f09effb3c6427dae90e629653ddcd4f
SHA18b018f7645045712327f4993938680f6e2e99c75
SHA256518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54
SHA512ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\MicrosoftEdgeWebview_X64_132.0.2957.140.exe$
Filesize1.4MB
MD55d4467cfba0c674d5e4ace47544f2e14
SHA1f3a843a4cf99c60d822bf5926d3976ecea11f873
SHA256495b199bac8b7acb33df60ce2cc3a3bbfdbc94ce244696600231660b4775eae4
SHA512daed64338ec0f90014b7af7c783965ed4b2b4e371a123fe51a5f372c5a2c6e4df06c87ef3d50cb98f3176f8ef7c70359872ed0d31ca6796bd07718a3162eccac
-
Filesize
1.4MB
MD5163e3058e16761df079982d7ead6cc62
SHA1e569e2912142b4c78ba93d329f5991fd3d7eea07
SHA256a29f6d8a809be1595c5b3300f191b34005fc14ad4bce62bae88878e681db6507
SHA512c11a1532bc9ba4f7efca7d958814e8fd7e9042461e57296193be4f063c747291c321feb4da45582bfeda1214b6fb2f3b74ca79d96c641653009e0293d6e96c3e
-
Filesize
1.8MB
MD552236bc058fbdf1d3c3025bdc87332d2
SHA109403a596a5f5c5c5e9b881ecad2dd1449d5d89c
SHA256007d8bd9e7ebf28635afafce70bec8bb835f64187b5ed308ab1e7b595400b741
SHA512f63f4b52cb27190a9c490414a9b9dcd81fcb7285fe28ab70a50c1fdf7017e66acebae32bcee8255ace9cebf3ee5c4aecce29e5433491062f69ddd4c0ee2056b6
-
Filesize
1.4MB
MD59777d461006ade0fcd7190213de19026
SHA114ae5b326d871fb49bf98104fd4ba0c96433cc4a
SHA256377f17c5b091059a5bd9bc9066353cb6b3a94db3dec11ffa6d6880205b1c792e
SHA512589af044c47f411d413bc0fba73a5be3e6752e0c4ffdf59c4921f98038dc3c60906d2c3175995cfc88714d00cefc555223722bb5f152c45ac3f97d7acd6d34ce
-
Filesize
1.4MB
MD51a7e962703c0bbb7baf702853685b3f0
SHA1d92ffccd374abbb43247e86a6f9bf4f84ded58f5
SHA2560eb95be539ebeee1df009393a5dd3a2a320bd09b9a2967ad538ba071b6715f91
SHA512de184a2aa6086190252820ff92bb09baf0d083fc87a05a2af9f27a5d673213fcba1498874f540cb4bdb5b6d09d52629ea46f7ba2ba6bdefd0d399cc796136152