hijackloader | 2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88

General

Target

807675A50EE7545E02DAEAC9822842B7.exe
Size

922KB
MD5

807675a50ee7545e02daeac9822842b7
SHA1

967094e1ef9155a031687396ba99855e54870612
SHA256

2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88
SHA512

12a928dc23e7fd03996e5d41d8fce1d091b0fa979d379e63e6e89d58440f8a21a809a646e1c6431eda68d71515e1aed06219c4f3d8c0c86e25724b1d6e5af5b4
SSDEEP

24576:e8inPEBCZN5hoVlnJXzJ/SEVSoMAALia4:Dg5BuxF/SRF4

Score

10^/10

hijackloader stealc loader stealer

Malware Config

Extracted

Family

stealc

C2

http://193.163.7.88

Attributes

url_path
/a69d09b357e06b52.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4436-0-0x0000000000A70000-0x0000000000B58000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3952 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

807675A50EE7545E02DAEAC9822842B7.exe

description pid process target process

PID 4436 set thread context of 3952 4436 807675A50EE7545E02DAEAC9822842B7.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4836 1964 WerFault.exe explorer.exe

pid	process
3952	cmd.exe

description	pid	process	target process
PID 4436 set thread context of 3952	4436	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe

pid	pid_target	process	target process
4836	1964	WerFault.exe	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

807675A50EE7545E02DAEAC9822842B7.execmd.exeexplorer.exe

pid process

4436 807675A50EE7545E02DAEAC9822842B7.exe
4436 807675A50EE7545E02DAEAC9822842B7.exe
3952 cmd.exe
3952 cmd.exe
1964 explorer.exe
1964 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

807675A50EE7545E02DAEAC9822842B7.execmd.exe

pid process

4436 807675A50EE7545E02DAEAC9822842B7.exe
3952 cmd.exe

pid	process
4436	807675A50EE7545E02DAEAC9822842B7.exe
4436	807675A50EE7545E02DAEAC9822842B7.exe
3952	cmd.exe
3952	cmd.exe
1964	explorer.exe
1964	explorer.exe

pid	process
4436	807675A50EE7545E02DAEAC9822842B7.exe
3952	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

807675A50EE7545E02DAEAC9822842B7.execmd.exe

description	pid	process	target process
PID 4436 wrote to memory of 3952	4436	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe
PID 4436 wrote to memory of 3952	4436	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe
PID 4436 wrote to memory of 3952	4436	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe
PID 4436 wrote to memory of 3952	4436	807675A50EE7545E02DAEAC9822842B7.exe	cmd.exe
PID 3952 wrote to memory of 1964	3952	cmd.exe	explorer.exe
PID 3952 wrote to memory of 1964	3952	cmd.exe	explorer.exe
PID 3952 wrote to memory of 1964	3952	cmd.exe	explorer.exe
PID 3952 wrote to memory of 1964	3952	cmd.exe	explorer.exe
PID 3952 wrote to memory of 1964	3952	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe
"C:\Users\Admin\AppData\Local\Temp\807675A50EE7545E02DAEAC9822842B7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1172
4⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1964 -ip 1964
1⤵
PID:4560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\953fe6e2
Filesize
861KB

MD5
daed2e751199b2aa9953efae7d4f089f

SHA1
9687cebe75cb16e677e537befd26a9a3479c3ec7

SHA256
af11b0cc3d81ce286a82363e107e69a0536931003d6c74af87c97a5d4f70feb3

SHA512
f95d466d4f29ff7c10c33730a1e1d7885a771ace27f0f873b3045da439692819d5cb31cab72498b3413c38406089795c3c2056a3a95e8bb874956c5986a94e87

Download Submit
memory/1964-13-0x0000000000420000-0x000000000065C000-memory.dmp

Filesize
2.2MB

Download
memory/1964-24-0x0000000000420000-0x000000000065C000-memory.dmp

Filesize
2.2MB

Download
memory/1964-23-0x0000000000420000-0x000000000065C000-memory.dmp

Filesize
2.2MB

Download
memory/1964-22-0x0000000000420000-0x000000000065C000-memory.dmp

Filesize
2.2MB

Download
memory/1964-21-0x0000000000420000-0x000000000065C000-memory.dmp

Filesize
2.2MB

Download
memory/1964-20-0x0000000000420000-0x000000000065C000-memory.dmp

Filesize
2.2MB

Download
memory/1964-18-0x00000000007A0000-0x0000000000BD3000-memory.dmp

Filesize
4.2MB

Download
memory/1964-19-0x0000000000420000-0x000000000065C000-memory.dmp

Filesize
2.2MB

Download
memory/1964-15-0x0000000000420000-0x000000000065C000-memory.dmp

Filesize
2.2MB

Download
memory/1964-14-0x00007FFBEC870000-0x00007FFBECA65000-memory.dmp

Filesize
2.0MB

Download
memory/3952-6-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download
memory/3952-12-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download
memory/3952-9-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download
memory/3952-10-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download
memory/3952-8-0x00007FFBEC870000-0x00007FFBECA65000-memory.dmp

Filesize
2.0MB

Download
memory/4436-0-0x0000000000A70000-0x0000000000B58000-memory.dmp

Filesize
928KB

Download
memory/4436-4-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download
memory/4436-3-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download
memory/4436-2-0x00007FFBEC870000-0x00007FFBECA65000-memory.dmp

Filesize
2.0MB

Download
memory/4436-1-0x0000000075470000-0x00000000755EB000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads