hijackloader | 2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88

General

Target

807675A50EE7545E02DAEAC9822842B7.exe
Size

922KB
MD5

807675a50ee7545e02daeac9822842b7
SHA1

967094e1ef9155a031687396ba99855e54870612
SHA256

2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88
SHA512

12a928dc23e7fd03996e5d41d8fce1d091b0fa979d379e63e6e89d58440f8a21a809a646e1c6431eda68d71515e1aed06219c4f3d8c0c86e25724b1d6e5af5b4
SSDEEP

24576:e8inPEBCZN5hoVlnJXzJ/SEVSoMAALia4:Dg5BuxF/SRF4

Score

10^/10

hijackloader stealc loader stealer

Malware Config

Extracted

Family

stealc

C2

http://193.163.7.88

Attributes

url_path
/a69d09b357e06b52.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x00000000004E8000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1636 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

807675A50EE7545E02DAEAC9822842B7.exe

description pid process target process

PID 2928 set thread context of 1636 2928 807675A50EE7545E02DAEAC9822842B7.exe cmd.exe

pid	process
1636	cmd.exe

description	pid	process	target process
PID 2928 set thread context of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1948 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

807675A50EE7545E02DAEAC9822842B7.execmd.exeexplorer.exe

pid process

2928 807675A50EE7545E02DAEAC9822842B7.exe
2928 807675A50EE7545E02DAEAC9822842B7.exe
1636 cmd.exe
1636 cmd.exe
2664 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

807675A50EE7545E02DAEAC9822842B7.execmd.exe

pid process

2928 807675A50EE7545E02DAEAC9822842B7.exe
1636 cmd.exe

pid	process
1948	timeout.exe

pid	process
2928	807675A50EE7545E02DAEAC9822842B7.exe
2928	807675A50EE7545E02DAEAC9822842B7.exe
1636	cmd.exe
1636	cmd.exe
2664	explorer.exe

pid	process
2928	807675A50EE7545E02DAEAC9822842B7.exe
1636	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

807675A50EE7545E02DAEAC9822842B7.execmd.exeexplorer.execmd.exe

description	pid	process	target process
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe
PID 2928 wrote to memory of 1636	2928	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe
PID 1636 wrote to memory of 2664	1636	cmd.exe	explorer.exe
PID 1636 wrote to memory of 2664	1636	cmd.exe	explorer.exe
PID 1636 wrote to memory of 2664	1636	cmd.exe	explorer.exe
PID 1636 wrote to memory of 2664	1636	cmd.exe	explorer.exe
PID 1636 wrote to memory of 2664	1636	cmd.exe	explorer.exe
PID 2664 wrote to memory of 2948	2664	explorer.exe	cmd.exe
PID 2664 wrote to memory of 2948	2664	explorer.exe	cmd.exe
PID 2664 wrote to memory of 2948	2664	explorer.exe	cmd.exe
PID 2664 wrote to memory of 2948	2664	explorer.exe	cmd.exe
PID 2948 wrote to memory of 1948	2948	cmd.exe	timeout.exe
PID 2948 wrote to memory of 1948	2948	cmd.exe	timeout.exe
PID 2948 wrote to memory of 1948	2948	cmd.exe	timeout.exe
PID 2948 wrote to memory of 1948	2948	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe
"C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "" & del "C:\ProgramData\*.dll"" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8cea21a9
Filesize
861KB

MD5
519070300cf12c5609552ed8318dc5b4

SHA1
73cb1a95db91fa502883aa7acf2eca61f8b50f45

SHA256
7c3c660880d0a9f46e637655ca949e21be6455a0f9ee7432a2d9eaad824735ec

SHA512
7abe297214aaf98ab32606e9dd78c7ff5afff8506395da0b78254651dd2a991d7b39c692c63d87eae85e4a8ad0671a16b7fb83163775a3f11d91339288a90d19

Download Submit
memory/1636-12-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/1636-10-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/1636-9-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/1636-8-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/1636-6-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/2664-14-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2664-13-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2664-15-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2664-17-0x0000000000700000-0x0000000000981000-memory.dmp

Filesize
2.5MB

Download
memory/2664-18-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2664-19-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2664-37-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2928-4-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/2928-3-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/2928-2-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2928-1-0x0000000074CA0000-0x0000000074E14000-memory.dmp

Filesize
1.5MB

Download
memory/2928-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads