hijackloader | 2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88

General

Target

807675A50EE7545E02DAEAC9822842B7.exe
Size

922KB
MD5

807675a50ee7545e02daeac9822842b7
SHA1

967094e1ef9155a031687396ba99855e54870612
SHA256

2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88
SHA512

12a928dc23e7fd03996e5d41d8fce1d091b0fa979d379e63e6e89d58440f8a21a809a646e1c6431eda68d71515e1aed06219c4f3d8c0c86e25724b1d6e5af5b4
SSDEEP

24576:e8inPEBCZN5hoVlnJXzJ/SEVSoMAALia4:Dg5BuxF/SRF4

Score

10^/10

hijackloader stealc loader stealer

Malware Config

Extracted

Family

stealc

C2

http://193.163.7.88

Attributes

url_path
/a69d09b357e06b52.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x00000000004E8000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 1632	2196	807675A50EE7545E02DAEAC9822842B7.exe	28

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2724	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2196	807675A50EE7545E02DAEAC9822842B7.exe
2196	807675A50EE7545E02DAEAC9822842B7.exe
1632	cmd.exe
1632	cmd.exe
3012	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2196	807675A50EE7545E02DAEAC9822842B7.exe
1632	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1632	2196	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 2196 wrote to memory of 1632	2196	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 2196 wrote to memory of 1632	2196	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 2196 wrote to memory of 1632	2196	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 2196 wrote to memory of 1632	2196	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 1632 wrote to memory of 3012	1632	cmd.exe	30
PID 1632 wrote to memory of 3012	1632	cmd.exe	30
PID 1632 wrote to memory of 3012	1632	cmd.exe	30
PID 1632 wrote to memory of 3012	1632	cmd.exe	30
PID 1632 wrote to memory of 3012	1632	cmd.exe	30
PID 3012 wrote to memory of 2464	3012	explorer.exe	32
PID 3012 wrote to memory of 2464	3012	explorer.exe	32
PID 3012 wrote to memory of 2464	3012	explorer.exe	32
PID 3012 wrote to memory of 2464	3012	explorer.exe	32
PID 2464 wrote to memory of 2724	2464	cmd.exe	34
PID 2464 wrote to memory of 2724	2464	cmd.exe	34
PID 2464 wrote to memory of 2724	2464	cmd.exe	34
PID 2464 wrote to memory of 2724	2464	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe
"C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8c2e0f63

Filesize
861KB

MD5
6ff0dde2e56eb2191187a5b2e886995a

SHA1
d312ddaa016436f96f7b2735d145d7bdffdc7e0e

SHA256
04f0c9d2ae9e3632fc071fb02a694e39a73d928a9fa2392fe6e25febcb174901

SHA512
ad51b0bef9013d6a3f75b474e0c7b87ce624b5028f0e1c2356225a8c33c7afde35bdaa49b6ed2758bf0f54f8856e3a86a2fa2cff57f8b690b83f0934f1ff0e25

Download Submit
memory/1632-12-0x0000000074C60000-0x0000000074DD4000-memory.dmp

Filesize
1.5MB

Download
memory/1632-10-0x0000000074C60000-0x0000000074DD4000-memory.dmp

Filesize
1.5MB

Download
memory/1632-9-0x0000000074C60000-0x0000000074DD4000-memory.dmp

Filesize
1.5MB

Download
memory/1632-8-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/1632-6-0x0000000074C60000-0x0000000074DD4000-memory.dmp

Filesize
1.5MB

Download
memory/2196-4-0x0000000074C60000-0x0000000074DD4000-memory.dmp

Filesize
1.5MB

Download
memory/2196-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2196-3-0x0000000074C60000-0x0000000074DD4000-memory.dmp

Filesize
1.5MB

Download
memory/2196-2-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2196-1-0x0000000074C60000-0x0000000074DD4000-memory.dmp

Filesize
1.5MB

Download
memory/3012-13-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/3012-14-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/3012-15-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/3012-18-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/3012-17-0x0000000000870000-0x0000000000AF1000-memory.dmp

Filesize
2.5MB

Download
memory/3012-19-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3012-37-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing