Analysis
-
max time kernel
119s -
max time network
105s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:19
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe
-
Size
1.3MB
-
MD5
9f53efdb1a9a2d227de8659286c187ad
-
SHA1
9765f22507889a4733ef1ddc2c6cb9e9d688325e
-
SHA256
accfbe97eeacd4492b319f3377fc40b7a58440e93bcdfcc195b9672e61175dc3
-
SHA512
06b2d78c87ec9ad59c5ef9d9922894370a45861c102fc81b90d7966da42c6a8ad4af83ad4b32b594dbfc41b86e5fdb7a280cbc9b8392a253068a50e2a02fb506
-
SSDEEP
24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2dZr:oGeGO+njdzOvljv92dZr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2964 patcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" patcher.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\:\autorun.inf patcher.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\bin\xjc.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe$ patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Time.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\MicrosoftEdgeUpdateBroker.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\javaw.exe patcher.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe$ patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\WindowsCamera.exe patcher.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\ie_to_edge_stub.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\notification_helper.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe$ patcher.exe File created C:\Program Files\Mozilla Firefox\plugin-container.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\7-Zip\Uninstall.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe$ patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe$ patcher.exe File created C:\Program Files\Mozilla Firefox\updater.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe$ patcher.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe patcher.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe patcher.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe$ patcher.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe patcher.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\StickyNotesStub.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe patcher.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe$ patcher.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_proxy.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe patcher.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE$ 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe patcher.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe patcher.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe$ patcher.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language patcher.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5640 2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe 2964 patcher.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 736 wrote to memory of 2964 736 cmd.exe 84 PID 736 wrote to memory of 2964 736 cmd.exe 84 PID 736 wrote to memory of 2964 736 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:5640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe1⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\905c0769f9a06c95a24ddf945\patcher.exeC:\905c0769f9a06c95a24ddf945\patcher.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD59f53efdb1a9a2d227de8659286c187ad
SHA19765f22507889a4733ef1ddc2c6cb9e9d688325e
SHA256accfbe97eeacd4492b319f3377fc40b7a58440e93bcdfcc195b9672e61175dc3
SHA51206b2d78c87ec9ad59c5ef9d9922894370a45861c102fc81b90d7966da42c6a8ad4af83ad4b32b594dbfc41b86e5fdb7a280cbc9b8392a253068a50e2a02fb506
-
Filesize
1.4MB
MD5e4bf6dbaaed6cce69c1bfcf4704cc2fa
SHA176c006c02c91eac2c4c039ca97ea530390fc8037
SHA2560cccca1bb72ce14724268da8faa5959544ea43f3e6794df4c1fc7aba41a577ed
SHA5124dc7e2b8b66bbb850bdabfced80eab80b81eb1a512c25591b9678a602a277c9ecfdc31592098044f47e9acd3c33c5becab8a3b45dc2fd69b471a5915462862af
-
Filesize
1.8MB
MD5659c3e64a939f223632adbb16addd84f
SHA1242531d0b98ed71a9eb5b61890d905582dfec017
SHA25654ac69d8465f7aa7cf4bc1bbcde721f528aaf5cd31d5c3afd5a6b6bcd1c3d0f5
SHA512ee04dd1ee89b51ba6812c66511b15c1396f97ebbde6217cbdc1573dd868e5d011aa5f4f5bcc93225bf366976ec69a9dda27fde4055eba242daaf4ed47642f001
-
Filesize
1.8MB
MD5e617e077ec2c7a161aecf763ea02c89d
SHA1f0e16be82eb1c93a7b8419e4d423f26398806a57
SHA2562357787075a2f52bc534b5ea2a0bd430b66ad4ac5c4f425cbbf03f936cf321c0
SHA512b56c607249073651c5711a8b133851bbc9dce4f9795486f0ef404663720a8feabbca41873acb849e4a12ad1b3a5ff9e5ea95c32cec6825c0fde840daaaeb7499
-
Filesize
1.4MB
MD573c100fb51488621e9c344d456cb3097
SHA1052789feeb9a4ed3ddd25cc2c61b9dae9bb2feb9
SHA256c0579d6bac064b667649f678c62443a148bcf294db4af162a1754496b0ef82eb
SHA5125290d0cf8da924b4fb012d6090a378699e7d56d7f88b344894a71317836758d067ad5edc897ba0224c6a91d87a08308c27df66a485ab343c2e482984206d0f6c