Analysis

  • max time kernel
    119s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:19

General

  • Target

    2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe

  • Size

    1.3MB

  • MD5

    9f53efdb1a9a2d227de8659286c187ad

  • SHA1

    9765f22507889a4733ef1ddc2c6cb9e9d688325e

  • SHA256

    accfbe97eeacd4492b319f3377fc40b7a58440e93bcdfcc195b9672e61175dc3

  • SHA512

    06b2d78c87ec9ad59c5ef9d9922894370a45861c102fc81b90d7966da42c6a8ad4af83ad4b32b594dbfc41b86e5fdb7a280cbc9b8392a253068a50e2a02fb506

  • SSDEEP

    24576:M1E9tnli1E9tnlm+MK/Rjd48OMaewsAjzHQy5Sk2dZr:oGeGO+njdzOvljv92dZr

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_9f53efdb1a9a2d227de8659286c187ad_amadey_black-basta_darkgate_elex_hawkeye_luca-stealer_rhadamanthys_smoke-loader.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:5640
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\905c0769f9a06c95a24ddf945\patcher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\905c0769f9a06c95a24ddf945\patcher.exe
      C:\905c0769f9a06c95a24ddf945\patcher.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2964

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe

          Filesize

          1.3MB

          MD5

          9f53efdb1a9a2d227de8659286c187ad

          SHA1

          9765f22507889a4733ef1ddc2c6cb9e9d688325e

          SHA256

          accfbe97eeacd4492b319f3377fc40b7a58440e93bcdfcc195b9672e61175dc3

          SHA512

          06b2d78c87ec9ad59c5ef9d9922894370a45861c102fc81b90d7966da42c6a8ad4af83ad4b32b594dbfc41b86e5fdb7a280cbc9b8392a253068a50e2a02fb506

        • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe$

          Filesize

          1.4MB

          MD5

          e4bf6dbaaed6cce69c1bfcf4704cc2fa

          SHA1

          76c006c02c91eac2c4c039ca97ea530390fc8037

          SHA256

          0cccca1bb72ce14724268da8faa5959544ea43f3e6794df4c1fc7aba41a577ed

          SHA512

          4dc7e2b8b66bbb850bdabfced80eab80b81eb1a512c25591b9678a602a277c9ecfdc31592098044f47e9acd3c33c5becab8a3b45dc2fd69b471a5915462862af

        • C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe$

          Filesize

          1.8MB

          MD5

          659c3e64a939f223632adbb16addd84f

          SHA1

          242531d0b98ed71a9eb5b61890d905582dfec017

          SHA256

          54ac69d8465f7aa7cf4bc1bbcde721f528aaf5cd31d5c3afd5a6b6bcd1c3d0f5

          SHA512

          ee04dd1ee89b51ba6812c66511b15c1396f97ebbde6217cbdc1573dd868e5d011aa5f4f5bcc93225bf366976ec69a9dda27fde4055eba242daaf4ed47642f001

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.8MB

          MD5

          e617e077ec2c7a161aecf763ea02c89d

          SHA1

          f0e16be82eb1c93a7b8419e4d423f26398806a57

          SHA256

          2357787075a2f52bc534b5ea2a0bd430b66ad4ac5c4f425cbbf03f936cf321c0

          SHA512

          b56c607249073651c5711a8b133851bbc9dce4f9795486f0ef404663720a8feabbca41873acb849e4a12ad1b3a5ff9e5ea95c32cec6825c0fde840daaaeb7499

        • C:\Program Files\Mozilla Firefox\uninstall\helper.exe$

          Filesize

          1.4MB

          MD5

          73c100fb51488621e9c344d456cb3097

          SHA1

          052789feeb9a4ed3ddd25cc2c61b9dae9bb2feb9

          SHA256

          c0579d6bac064b667649f678c62443a148bcf294db4af162a1754496b0ef82eb

          SHA512

          5290d0cf8da924b4fb012d6090a378699e7d56d7f88b344894a71317836758d067ad5edc897ba0224c6a91d87a08308c27df66a485ab343c2e482984206d0f6c

        • memory/2964-1555-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5640-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB

        • memory/5640-1554-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB