Analysis

  • max time kernel
    122s
  • max time network
    110s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:18

General

  • Target

    2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe

  • Size

    1.3MB

  • MD5

    8f09effb3c6427dae90e629653ddcd4f

  • SHA1

    8b018f7645045712327f4993938680f6e2e99c75

  • SHA256

    518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54

  • SHA512

    ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk22:oGeGO+njdzOvljv92

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:1164
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5876
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2936

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.3MB

          MD5

          8f09effb3c6427dae90e629653ddcd4f

          SHA1

          8b018f7645045712327f4993938680f6e2e99c75

          SHA256

          518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54

          SHA512

          ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

          Filesize

          1.3MB

          MD5

          40e42f7be138ae4005faf0f7225d56c4

          SHA1

          3fc572df9d987c3e3760f7e3de783454d136b984

          SHA256

          14e9b154dd55a9d28cc2f160c13663a3bbc472426eb9fca51e3ba88f87917c35

          SHA512

          72271e575848fb0ca854d396bd50c64b5e2026e612f9d086f74a9a995351dd194d18554a3630f4f54e56355e8eaa9654f34e8fa038977e53beca6591e3e76dcd

        • C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe$

          Filesize

          1.8MB

          MD5

          8668966f94defc6b79bf84b1837166d0

          SHA1

          3261f312aa4dcb266aee73e6bff4e4c0cef8cc4f

          SHA256

          381f52de996973484ebbadec4c1a1d9a90e914e8cb2b5ee18689e839555fe8d4

          SHA512

          6aa2272f7f2aaffe8c89a2fcf0f8dc939ea22f9ceccccd173c38833d07a7bf337d175a53b3c57cd4267c3677b009678297ebdd9f8732dfd6c11d5f9ae3d7f311

        • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_pwa_launcher.exe$

          Filesize

          1.4MB

          MD5

          c30e58209c4ff48fe79475677a276e5b

          SHA1

          a7aca2c018a0056ff1fa75d48be5721ad2dab618

          SHA256

          924014f7e792d0ef1bbd1c180a98c99629a252ac4f510ca69583b37666be0ce5

          SHA512

          19efbcb9dfed38d84cec9c8e2691ffb6e40c893f615dfa921abcf4b8ae703829345231c9e1662aff86b298a313a2d22fe83b94c40b3de62eccfa7a8aec7839e7

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.8MB

          MD5

          52236bc058fbdf1d3c3025bdc87332d2

          SHA1

          09403a596a5f5c5c5e9b881ecad2dd1449d5d89c

          SHA256

          007d8bd9e7ebf28635afafce70bec8bb835f64187b5ed308ab1e7b595400b741

          SHA512

          f63f4b52cb27190a9c490414a9b9dcd81fcb7285fe28ab70a50c1fdf7017e66acebae32bcee8255ace9cebf3ee5c4aecce29e5433491062f69ddd4c0ee2056b6

        • C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$

          Filesize

          1.4MB

          MD5

          1a7e962703c0bbb7baf702853685b3f0

          SHA1

          d92ffccd374abbb43247e86a6f9bf4f84ded58f5

          SHA256

          0eb95be539ebeee1df009393a5dd3a2a320bd09b9a2967ad538ba071b6715f91

          SHA512

          de184a2aa6086190252820ff92bb09baf0d083fc87a05a2af9f27a5d673213fcba1498874f540cb4bdb5b6d09d52629ea46f7ba2ba6bdefd0d399cc796136152

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe$

          Filesize

          1.5MB

          MD5

          60c82e52c47977d4df809e543f632823

          SHA1

          60ee57af72f907b3faa7a941ffec277b8dff7aed

          SHA256

          5967cfac86aeaa998542b3df418c620198e063d24ca16e6c86a75c39f9db0e15

          SHA512

          0a40d23de665481c7d37255f66f7a59c7a93c07ad2b932818174519b971062479293ae34267cfec4991815b57fa9aca21a70e4fa9f4ce122fe9adaa2d1561abe

        • memory/1164-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1164-1554-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/2936-1555-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB