Analysis
-
max time kernel
116s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:19
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe
-
Size
1.3MB
-
MD5
9f53efdb1a9a2d227de8659286c187ad
-
SHA1
9765f22507889a4733ef1ddc2c6cb9e9d688325e
-
SHA256
accfbe97eeacd4492b319f3377fc40b7a58440e93bcdfcc195b9672e61175dc3
-
SHA512
06b2d78c87ec9ad59c5ef9d9922894370a45861c102fc81b90d7966da42c6a8ad4af83ad4b32b594dbfc41b86e5fdb7a280cbc9b8392a253068a50e2a02fb506
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2dZr:oGeGO+njdzOvljv92dZr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1612 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe patcher.exe File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevated_tracing_service.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateSetup.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe$ patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_pwa_launcher.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\klist.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE patcher.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge_proxy.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe$ patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe$ patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe patcher.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_stub.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\pwahelper.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\cookie_exporter.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe patcher.exe File opened for modification C:\Program Files\7-Zip\7z.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe$ patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe patcher.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedge.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\cookie_exporter.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\javac.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe$ patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 6044 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe 1612 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2604 wrote to memory of 1612 2604 cmd.exe 90 PID 2604 wrote to memory of 1612 2604 cmd.exe 90 PID 2604 wrote to memory of 1612 2604 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:6044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1612
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD59f53efdb1a9a2d227de8659286c187ad
SHA19765f22507889a4733ef1ddc2c6cb9e9d688325e
SHA256accfbe97eeacd4492b319f3377fc40b7a58440e93bcdfcc195b9672e61175dc3
SHA51206b2d78c87ec9ad59c5ef9d9922894370a45861c102fc81b90d7966da42c6a8ad4af83ad4b32b594dbfc41b86e5fdb7a280cbc9b8392a253068a50e2a02fb506
-
Filesize
1.6MB
MD5af5d6127b34128049d486443bb55ca0a
SHA154c8d77692ca1d408d76132522d44ef2ef3e57ae
SHA25689d7126cfb64cc3e09ef1bf1b3f7013b175c66bfb39b47271f2af18c0f8a1438
SHA512e89bf1e9b7bf6decd503251721e102ba985321ebd66288ad8f1c9b4b1e5f3aa2abe24aca521ade771a78b874beec77bdd6c30c7b4faaf047fd6d0388d58acc17
-
Filesize
1.4MB
MD575a0e2423c2badf3b6148046fb841ed6
SHA1b93f73eecf742bbbcad604a99ef0ffcd2fb9a84b
SHA256cd8528521f3a60bc36f271e1fc5f40bcd893c8a6af3f582ee1546e8fd141b050
SHA5121b88827fd91f7173504f4605a4e6995aa8605e5b87037b9a10ba9f2678e3ca5105f9187a742d7a09bdb84f70272f403d955318cd6907006abcbace40704c5f14
-
Filesize
1.8MB
MD5e617e077ec2c7a161aecf763ea02c89d
SHA1f0e16be82eb1c93a7b8419e4d423f26398806a57
SHA2562357787075a2f52bc534b5ea2a0bd430b66ad4ac5c4f425cbbf03f936cf321c0
SHA512b56c607249073651c5711a8b133851bbc9dce4f9795486f0ef404663720a8feabbca41873acb849e4a12ad1b3a5ff9e5ea95c32cec6825c0fde840daaaeb7499
-
Filesize
1.4MB
MD573c100fb51488621e9c344d456cb3097
SHA1052789feeb9a4ed3ddd25cc2c61b9dae9bb2feb9
SHA256c0579d6bac064b667649f678c62443a148bcf294db4af162a1754496b0ef82eb
SHA5125290d0cf8da924b4fb012d6090a378699e7d56d7f88b344894a71317836758d067ad5edc897ba0224c6a91d87a08308c27df66a485ab343c2e482984206d0f6c