hijackloader | 6b953bd9494e5f61c1ede1ec264bf6df54911c4edefecd2eda3fb11fdbd10785 | Triage

Sharing

General

Target

aca5b2387c10786a2306a98166581a60_NEIKI
Size

758KB
Sample

240509-arydfagb7t
MD5

aca5b2387c10786a2306a98166581a60
SHA1

3338f237b591b0775b45dcfab61ca79dc696a098
SHA256

6b953bd9494e5f61c1ede1ec264bf6df54911c4edefecd2eda3fb11fdbd10785
SHA512

91146233039cdc73979930bc77405d0f3f21176c1399f8cae87e2e1425da015255f6a66857a76538e165c4ec2ae75587e70229818e1039d9c592721a0141b457
SSDEEP

12288:KUZy93y/u81hwyayMUx9XZ0rajhHCYdzyU1WjTA1Ax9Ctn:KUZKyuwLayTor+NyRjk1Me

Score

10^/10

hijackloader sectoprat bootkit loader persistence rat spyware trojan

Malware Config

Targets

- Target
  
  aca5b2387c10786a2306a98166581a60_NEIKI
- Size
  
  758KB
- MD5
  
  aca5b2387c10786a2306a98166581a60
- SHA1
  
  3338f237b591b0775b45dcfab61ca79dc696a098
- SHA256
  
  6b953bd9494e5f61c1ede1ec264bf6df54911c4edefecd2eda3fb11fdbd10785
- SHA512
  
  91146233039cdc73979930bc77405d0f3f21176c1399f8cae87e2e1425da015255f6a66857a76538e165c4ec2ae75587e70229818e1039d9c592721a0141b457
- SSDEEP
  
  12288:KUZy93y/u81hwyayMUx9XZ0rajhHCYdzyU1WjTA1Ax9Ctn:KUZKyuwLayTor+NyRjk1Me
Score

10^/10

bootkit persistence hijackloader sectoprat loader rat spyware trojan
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitpersistence

behavioral2

hijackloadersectopratbootkitloaderpersistenceratspywaretrojan