Analysis

  • max time kernel
    116s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:19

General

  • Target

    2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe

  • Size

    1.3MB

  • MD5

    9f53efdb1a9a2d227de8659286c187ad

  • SHA1

    9765f22507889a4733ef1ddc2c6cb9e9d688325e

  • SHA256

    accfbe97eeacd4492b319f3377fc40b7a58440e93bcdfcc195b9672e61175dc3

  • SHA512

    06b2d78c87ec9ad59c5ef9d9922894370a45861c102fc81b90d7966da42c6a8ad4af83ad4b32b594dbfc41b86e5fdb7a280cbc9b8392a253068a50e2a02fb506

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2dZr:oGeGO+njdzOvljv92dZr

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:6044
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1612

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.3MB

          MD5

          9f53efdb1a9a2d227de8659286c187ad

          SHA1

          9765f22507889a4733ef1ddc2c6cb9e9d688325e

          SHA256

          accfbe97eeacd4492b319f3377fc40b7a58440e93bcdfcc195b9672e61175dc3

          SHA512

          06b2d78c87ec9ad59c5ef9d9922894370a45861c102fc81b90d7966da42c6a8ad4af83ad4b32b594dbfc41b86e5fdb7a280cbc9b8392a253068a50e2a02fb506

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe$

          Filesize

          1.6MB

          MD5

          af5d6127b34128049d486443bb55ca0a

          SHA1

          54c8d77692ca1d408d76132522d44ef2ef3e57ae

          SHA256

          89d7126cfb64cc3e09ef1bf1b3f7013b175c66bfb39b47271f2af18c0f8a1438

          SHA512

          e89bf1e9b7bf6decd503251721e102ba985321ebd66288ad8f1c9b4b1e5f3aa2abe24aca521ade771a78b874beec77bdd6c30c7b4faaf047fd6d0388d58acc17

        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

          Filesize

          1.4MB

          MD5

          75a0e2423c2badf3b6148046fb841ed6

          SHA1

          b93f73eecf742bbbcad604a99ef0ffcd2fb9a84b

          SHA256

          cd8528521f3a60bc36f271e1fc5f40bcd893c8a6af3f582ee1546e8fd141b050

          SHA512

          1b88827fd91f7173504f4605a4e6995aa8605e5b87037b9a10ba9f2678e3ca5105f9187a742d7a09bdb84f70272f403d955318cd6907006abcbace40704c5f14

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.8MB

          MD5

          e617e077ec2c7a161aecf763ea02c89d

          SHA1

          f0e16be82eb1c93a7b8419e4d423f26398806a57

          SHA256

          2357787075a2f52bc534b5ea2a0bd430b66ad4ac5c4f425cbbf03f936cf321c0

          SHA512

          b56c607249073651c5711a8b133851bbc9dce4f9795486f0ef404663720a8feabbca41873acb849e4a12ad1b3a5ff9e5ea95c32cec6825c0fde840daaaeb7499

        • C:\Program Files\Mozilla Firefox\uninstall\helper.exe$

          Filesize

          1.4MB

          MD5

          73c100fb51488621e9c344d456cb3097

          SHA1

          052789feeb9a4ed3ddd25cc2c61b9dae9bb2feb9

          SHA256

          c0579d6bac064b667649f678c62443a148bcf294db4af162a1754496b0ef82eb

          SHA512

          5290d0cf8da924b4fb012d6090a378699e7d56d7f88b344894a71317836758d067ad5edc897ba0224c6a91d87a08308c27df66a485ab343c2e482984206d0f6c

        • memory/1612-8-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/1612-1658-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/6044-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/6044-1602-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB