Analysis
-
max time kernel
122s -
max time network
110s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250610-en
General
-
Target
2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.3MB
-
MD5
8f09effb3c6427dae90e629653ddcd4f
-
SHA1
8b018f7645045712327f4993938680f6e2e99c75
-
SHA256
518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54
-
SHA512
ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk22:oGeGO+njdzOvljv92
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2936 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Time.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\notification_helper.exe patcher.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_pwa_launcher.exe$ patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeComRegisterShellARM64.exe patcher.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe$ patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe patcher.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe$ patcher.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\elevation_service.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe$ patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\servertool.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Mozilla Firefox\updater.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\ie_to_edge_stub.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\policytool.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_helper.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe$ 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\WeatherStub.exe patcher.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1164 2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 2936 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5876 wrote to memory of 2936 5876 cmd.exe 80 PID 5876 wrote to memory of 2936 5876 cmd.exe 80 PID 5876 wrote to memory of 2936 5876 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_8f09effb3c6427dae90e629653ddcd4f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2936
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD58f09effb3c6427dae90e629653ddcd4f
SHA18b018f7645045712327f4993938680f6e2e99c75
SHA256518d696a1c34babdf3bd8b68c972de65804b73f0b3c4b274a6457b557dd9cf54
SHA512ca235651ebcc289f136bddf7e694b38ccaa68876fed31b7730f1cd9f12ca74bdda1028d1136231c60f0854154f53700b2b8a878ee7aa936a9637cbe171b17fc7
-
Filesize
1.3MB
MD540e42f7be138ae4005faf0f7225d56c4
SHA13fc572df9d987c3e3760f7e3de783454d136b984
SHA25614e9b154dd55a9d28cc2f160c13663a3bbc472426eb9fca51e3ba88f87917c35
SHA51272271e575848fb0ca854d396bd50c64b5e2026e612f9d086f74a9a995351dd194d18554a3630f4f54e56355e8eaa9654f34e8fa038977e53beca6591e3e76dcd
-
Filesize
1.8MB
MD58668966f94defc6b79bf84b1837166d0
SHA13261f312aa4dcb266aee73e6bff4e4c0cef8cc4f
SHA256381f52de996973484ebbadec4c1a1d9a90e914e8cb2b5ee18689e839555fe8d4
SHA5126aa2272f7f2aaffe8c89a2fcf0f8dc939ea22f9ceccccd173c38833d07a7bf337d175a53b3c57cd4267c3677b009678297ebdd9f8732dfd6c11d5f9ae3d7f311
-
Filesize
1.4MB
MD5c30e58209c4ff48fe79475677a276e5b
SHA1a7aca2c018a0056ff1fa75d48be5721ad2dab618
SHA256924014f7e792d0ef1bbd1c180a98c99629a252ac4f510ca69583b37666be0ce5
SHA51219efbcb9dfed38d84cec9c8e2691ffb6e40c893f615dfa921abcf4b8ae703829345231c9e1662aff86b298a313a2d22fe83b94c40b3de62eccfa7a8aec7839e7
-
Filesize
1.8MB
MD552236bc058fbdf1d3c3025bdc87332d2
SHA109403a596a5f5c5c5e9b881ecad2dd1449d5d89c
SHA256007d8bd9e7ebf28635afafce70bec8bb835f64187b5ed308ab1e7b595400b741
SHA512f63f4b52cb27190a9c490414a9b9dcd81fcb7285fe28ab70a50c1fdf7017e66acebae32bcee8255ace9cebf3ee5c4aecce29e5433491062f69ddd4c0ee2056b6
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$
Filesize1.4MB
MD51a7e962703c0bbb7baf702853685b3f0
SHA1d92ffccd374abbb43247e86a6f9bf4f84ded58f5
SHA2560eb95be539ebeee1df009393a5dd3a2a320bd09b9a2967ad538ba071b6715f91
SHA512de184a2aa6086190252820ff92bb09baf0d083fc87a05a2af9f27a5d673213fcba1498874f540cb4bdb5b6d09d52629ea46f7ba2ba6bdefd0d399cc796136152
-
Filesize
1.5MB
MD560c82e52c47977d4df809e543f632823
SHA160ee57af72f907b3faa7a941ffec277b8dff7aed
SHA2565967cfac86aeaa998542b3df418c620198e063d24ca16e6c86a75c39f9db0e15
SHA5120a40d23de665481c7d37255f66f7a59c7a93c07ad2b932818174519b971062479293ae34267cfec4991815b57fa9aca21a70e4fa9f4ce122fe9adaa2d1561abe