Analysis
-
max time kernel
114s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.3MB
-
MD5
a5a18e79745d5b5912d00215e38da97f
-
SHA1
654bbbd888a9eb028b78cba6a5d6a427c166a374
-
SHA256
ca29e3c11dcaefb761fdc53dd47fa6a206869aae38c99b14189fe8d1e0af827f
-
SHA512
1152db73ad536ac6e5eb8448e5857ec87955f4bcc377dc672626d487199531d11c3c5f1754152addc52607d1413a6c1d1fcde580c6f4b43b964db1321a97da3c
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2U+:oGeGO+njdzOvljv92V
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 244 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Mozilla Firefox\default-browser-agent.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateSetup.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe patcher.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe patcher.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE patcher.exe File opened for modification C:\Program Files\dotnet\dotnet.exe patcher.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\javah.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE$ patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe patcher.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\pwahelper.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe$ patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_helper.exe patcher.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\cookie_exporter.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Install\{EAA39111-53F6-45EF-8DE6-ADB7B91C5CDF}\MicrosoftEdge_X64_133.0.3065.69.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\MicrosoftEdgeWebview_X64_132.0.2957.140.exe$$ patcher.exe File opened for modification C:\Program Files\7-Zip\7z.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\elevation_service.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge_pwa_launcher.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe patcher.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 64 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 244 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4992 wrote to memory of 244 4992 cmd.exe 91 PID 4992 wrote to memory of 244 4992 cmd.exe 91 PID 4992 wrote to memory of 244 4992 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:64
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:244
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5a5a18e79745d5b5912d00215e38da97f
SHA1654bbbd888a9eb028b78cba6a5d6a427c166a374
SHA256ca29e3c11dcaefb761fdc53dd47fa6a206869aae38c99b14189fe8d1e0af827f
SHA5121152db73ad536ac6e5eb8448e5857ec87955f4bcc377dc672626d487199531d11c3c5f1754152addc52607d1413a6c1d1fcde580c6f4b43b964db1321a97da3c
-
Filesize
1.6MB
MD54ccd1a01b8d5ffb21ddf9a589d0cf800
SHA1e96ab06e3a04ec8b771b184996faa1ca9984337e
SHA2567ce38223c21004ce68eec0acbdcbf026882dcb10e836b3135d5b9f241dc2abd2
SHA5129ae9fa8b4eea83f4328b5ee2b14563e7b00bc79739cb689905ae316c9def5ee1f5e881541af052d01a578a2dd23dadac277d01c11b3c55d86d1ae3060a92a956
-
Filesize
1.5MB
MD5ea8bf9717f2f4841f46691c42b62fd57
SHA17dbc1f696bd51ec11e3936d8611e2b1611aa9cc2
SHA25629018aa48eea2c6a0ad4fa58c82b0748e88efc971a91467730d654217f2a23d9
SHA5128553fd6439e31e6a7dabbfe88c425da95e67af0b452f11040b60aba826b3f0a44f40c87af0376a558b7c761451ff3a4e6606ba541dd7aa691c8206b20514d688
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\MicrosoftEdgeWebview_X64_132.0.2957.140.exe$
Filesize1.4MB
MD500e2ab08e636b7b661361a936e21b49b
SHA1e828749aae897c67cfb52659d82885ac82fa18dc
SHA2569c3cd8f001fbdc27034a050be656847731bced95bb3fbb97445b6131664c117f
SHA5125df51f32894d5847df84a6cbcc74ad2ae8459998825bb990f1509fa8e6a725824e80e49efc54e6a8ce0a5bf39b4cea99429f4fc90ce14a025ca3a0b66fb73bed
-
Filesize
1.8MB
MD5afb57fe87f62d22d937fb57c7e510b85
SHA1ef5cda751c8dd3a4417fb0702f6df6a369c910bf
SHA25613b208546074797faee60e76c6c539ecb10ef5517706a10bd77e51a8e328dc22
SHA5122c60162486e3e47d370979d448fa7ad5afe12845b73025db8652b2548b4439cd1cc2316b1171501dab2949d12ddd9e061a0ed8e100b1c5d516e1339d86845ae6
-
Filesize
1.4MB
MD5cebe36a0cf1288445cea94154485ee4c
SHA17eed1644d8f5a6eaa04bb750846c5d9f95afd66c
SHA256bdd0a2dd8cfb710282c7b9b058023114c901787b8b56f789fb33755e825e1035
SHA5123e8efcbb075d73f745254f31211ce5a385d6a47de9575887e31d7c972d074db4d4c61b7d79e316c1b5f3617e37bba7a2f4093548073aea852bfb032ba166303b