Analysis
-
max time kernel
118s -
max time network
106s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe
-
Size
1.3MB
-
MD5
a5a18e79745d5b5912d00215e38da97f
-
SHA1
654bbbd888a9eb028b78cba6a5d6a427c166a374
-
SHA256
ca29e3c11dcaefb761fdc53dd47fa6a206869aae38c99b14189fe8d1e0af827f
-
SHA512
1152db73ad536ac6e5eb8448e5857ec87955f4bcc377dc672626d487199531d11c3c5f1754152addc52607d1413a6c1d1fcde580c6f4b43b964db1321a97da3c
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2U+:oGeGO+njdzOvljv92V
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1596 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe patcher.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Installer\setup.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateSetup.exe patcher.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\msoia.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\rmid.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe$ patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe patcher.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe$ patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeComRegisterShellARM64.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\ie_to_edge_stub.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\notification_helper.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe patcher.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateBroker.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateOnDemand.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\javap.exe patcher.exe File created C:\Program Files\Java\jre-1.8\bin\ktab.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe patcher.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateBroker.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\WindowsCamera.exe patcher.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe$ 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe$ patcher.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\XboxStub.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedgewebview2.exe 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe patcher.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5084 2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe 1596 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3704 wrote to memory of 1596 3704 cmd.exe 81 PID 3704 wrote to memory of 1596 3704 cmd.exe 81 PID 3704 wrote to memory of 1596 3704 cmd.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_a5a18e79745d5b5912d00215e38da97f_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:5084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1596
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5a5a18e79745d5b5912d00215e38da97f
SHA1654bbbd888a9eb028b78cba6a5d6a427c166a374
SHA256ca29e3c11dcaefb761fdc53dd47fa6a206869aae38c99b14189fe8d1e0af827f
SHA5121152db73ad536ac6e5eb8448e5857ec87955f4bcc377dc672626d487199531d11c3c5f1754152addc52607d1413a6c1d1fcde580c6f4b43b964db1321a97da3c
-
Filesize
1.4MB
MD5e860e0c99cac3c318760ec4df537b331
SHA13ee7f87b4c4bea814c8854fb4571de2de1c4a6b4
SHA2562bbdea689acbb3de4f6d9a340fb72405e6215b9a1f79071970c76b06a2192d25
SHA512c9db46bd355de2ac9b551e51d40a13a37d124e0150f6f31da2f6f567c1060975c8c47292a6ea44130fdca76f6ce253deadccb2fc15ceacb959a85a57a9cc9e2c
-
Filesize
1.7MB
MD5a8c15bc0989fc716ca905040d0dbee8f
SHA1f59251da8825658da4f212bd7930b70fab6e9a75
SHA256885efd48e45d484bed4c68e8ba626fa5165f6ba22b98eb84168ea636a3581cde
SHA512cee1f354269f36dc7c745eb6446f602af00ed08cc7c9e7e53adb07d6dc0361368bf4117621c5eb9936d886b8802292dde396a97c2401416c71c01ca346b2eb88
-
Filesize
1.8MB
MD541758305963845ac6d80b5f980a0f5c3
SHA16e5d3133493f41f194695108703be4575ea79de4
SHA2560ecb331e4d501514a11abdb68f73c14978954b0c23bc401569b8e8914f315296
SHA5125d3932e82c57831a3ff08b0d6f2ea8ef21e8f1938ea41c6f1f1e2d2bba4dcb3c98fda61216af99d3a90048e18817282fd121c16e96f42e7832cc184e149f0170
-
C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\MicrosoftEdgeWebview_X64_132.0.2957.140.exe$
Filesize1.4MB
MD500e2ab08e636b7b661361a936e21b49b
SHA1e828749aae897c67cfb52659d82885ac82fa18dc
SHA2569c3cd8f001fbdc27034a050be656847731bced95bb3fbb97445b6131664c117f
SHA5125df51f32894d5847df84a6cbcc74ad2ae8459998825bb990f1509fa8e6a725824e80e49efc54e6a8ce0a5bf39b4cea99429f4fc90ce14a025ca3a0b66fb73bed
-
Filesize
1.8MB
MD5afb57fe87f62d22d937fb57c7e510b85
SHA1ef5cda751c8dd3a4417fb0702f6df6a369c910bf
SHA25613b208546074797faee60e76c6c539ecb10ef5517706a10bd77e51a8e328dc22
SHA5122c60162486e3e47d370979d448fa7ad5afe12845b73025db8652b2548b4439cd1cc2316b1171501dab2949d12ddd9e061a0ed8e100b1c5d516e1339d86845ae6
-
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe
Filesize1.3MB
MD5b111a77c4275942c2aa026e872987353
SHA19fb41d17d839d7b53274156f2a01a011d6e1d986
SHA256ea79a23dd5867974acf5258b654c860a66f1c88658ec63c59c87d31b58f7d272
SHA51237837741edbd0133d7bff0c2625d444327a8d659de6a4baa9c6b53a3789a5c6217fe1dd52fca83e6f64f0e1525d9a7f76b3f84c39cdaa03dfe6a2f8eb0976bfa
-
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe$
Filesize1.5MB
MD5357d756fa6382865c3918c6dbe0ba659
SHA1a35d1c293daef016599f3796046ef8abac2c786b
SHA25683082f501949f80f923fb4b7aec0a065c2900bc1248bd398409b6dd8b97180a7
SHA5122281f321544a1a108d403705c341456f0bbffc2ac9ff412c4fe038cec833cdbcbbd9005b686bff1a1cdeb6aade1af2495bc8571b26c9b8e1f0c5d735e913ac58