hijackloader | 2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88

General

Target

807675A50EE7545E02DAEAC9822842B7.exe
Size

922KB
MD5

807675a50ee7545e02daeac9822842b7
SHA1

967094e1ef9155a031687396ba99855e54870612
SHA256

2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88
SHA512

12a928dc23e7fd03996e5d41d8fce1d091b0fa979d379e63e6e89d58440f8a21a809a646e1c6431eda68d71515e1aed06219c4f3d8c0c86e25724b1d6e5af5b4
SSDEEP

24576:e8inPEBCZN5hoVlnJXzJ/SEVSoMAALia4:Dg5BuxF/SRF4

Score

10^/10

hijackloader stealc loader stealer

Malware Config

Extracted

Family

stealc

C2

http://193.163.7.88

Attributes

url_path
/a69d09b357e06b52.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x00000000004E8000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1636	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	28

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1948	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2928	807675A50EE7545E02DAEAC9822842B7.exe
2928	807675A50EE7545E02DAEAC9822842B7.exe
1636	cmd.exe
1636	cmd.exe
2664	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2928	807675A50EE7545E02DAEAC9822842B7.exe
1636	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	28
PID 1636 wrote to memory of 2664	1636	cmd.exe	30
PID 1636 wrote to memory of 2664	1636	cmd.exe	30
PID 1636 wrote to memory of 2664	1636	cmd.exe	30
PID 1636 wrote to memory of 2664	1636	cmd.exe	30
PID 1636 wrote to memory of 2664	1636	cmd.exe	30
PID 2664 wrote to memory of 2948	2664	explorer.exe	32
PID 2664 wrote to memory of 2948	2664	explorer.exe	32
PID 2664 wrote to memory of 2948	2664	explorer.exe	32
PID 2664 wrote to memory of 2948	2664	explorer.exe	32
PID 2948 wrote to memory of 1948	2948	cmd.exe	34
PID 2948 wrote to memory of 1948	2948	cmd.exe	34
PID 2948 wrote to memory of 1948	2948	cmd.exe	34
PID 2948 wrote to memory of 1948	2948	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe
"C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8cea21a9

Filesize
861KB

MD5
519070300cf12c5609552ed8318dc5b4

SHA1
73cb1a95db91fa502883aa7acf2eca61f8b50f45

SHA256
7c3c660880d0a9f46e637655ca949e21be6455a0f9ee7432a2d9eaad824735ec

SHA512
7abe297214aaf98ab32606e9dd78c7ff5afff8506395da0b78254651dd2a991d7b39c692c63d87eae85e4a8ad0671a16b7fb83163775a3f11d91339288a90d19

Download Submit
memory/1636-12-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/1636-10-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/1636-9-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/1636-8-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/1636-6-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/2664-14-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2664-13-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2664-15-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2664-17-0x0000000000700000-0x0000000000981000-memory.dmp

Filesize
2.5MB

Download
memory/2664-18-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2664-19-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2664-37-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2928-4-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/2928-3-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/2928-2-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2928-1-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/2928-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing