hijackloader

Sharing

Copy URL

Twitter E-mail

General

Target

Vortax App Setup.exe
Size

47.3MB
Sample

240520-2y312sad85
MD5

cab622641242a6f2fcbb8a1ae2698fd2
SHA1

9d56b54643706787c16f0cae4e9e565c1e1a49ec
SHA256

f3176e0859ba92049dcd57685c1b5f49b97183ff49fcc79f2ce4ad2b31d2d843
SHA512

324ad8a7669d15ef19d0c1d7b362d17f2118414b4e8672921fe45994db0425200a38e26fc4c169ecb19f7c4aa8233fc5dfd32c3cb32e600cc031139d0e530cf1
SSDEEP

786432:MXCn7F7DZHw0SLuXUG6fssNb8ReGJqznv+DGODFjupn5oZfikV6PH2fLbTvkw0Y7:MyRPZQ5LKQ0sNGWO1FpZf+PH67vkoGKL

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

vor16

http://89.105.198.134

Attributes

url_path
/244cbe83570df263.php

Targets

- Target
  
  Vortax App Setup.exe
- Size
  
  47.3MB
- MD5
  
  cab622641242a6f2fcbb8a1ae2698fd2
- SHA1
  
  9d56b54643706787c16f0cae4e9e565c1e1a49ec
- SHA256
  
  f3176e0859ba92049dcd57685c1b5f49b97183ff49fcc79f2ce4ad2b31d2d843
- SHA512
  
  324ad8a7669d15ef19d0c1d7b362d17f2118414b4e8672921fe45994db0425200a38e26fc4c169ecb19f7c4aa8233fc5dfd32c3cb32e600cc031139d0e530cf1
- SSDEEP
  
  786432:MXCn7F7DZHw0SLuXUG6fssNb8ReGJqznv+DGODFjupn5oZfikV6PH2fLbTvkw0Y7:MyRPZQ5LKQ0sNGWO1FpZf+PH67vkoGKL
Score

10^/10

hijackloader stealc vor16 discovery execution loader spyware stealer rhadamanthys
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  zh-Hans/PresentationUI.resources.dll
- Size
  
  42KB
- MD5
  
  19783e0668a147ad36af534ed0a14193
- SHA1
  
  349fe8589570565b02876fb51fc761600a43bb10
- SHA256
  
  aa454ef5be05a806d51a0f350adf6d1769a161d765a818dfefe394c20eab64c6
- SHA512
  
  8aad9a1fa3148dfd926e5ffa56a1343fe2db909a7a814312464f331a52641b6296cde093e231a964ee204e75f5b2e5923e81e45a32296e6b82def4a696e1b266
- SSDEEP
  
  768:GKed0SYi7Skr+FoyNh1hn0A3Prs4vgXfMGv5YdcSsmC5YUghVOA/K/iQHji9z6O:Cd0SYiTiHn0A3Prs4vcfMGv5YdcSsmC8
Score

1^/10
behavioral3 behavioral4
- Target
  
  zh-Hans/ReachFramework.resources.dll
- Size
  
  36KB
- MD5
  
  0c4ba0386a3c1b922dd70a78da4ce64f
- SHA1
  
  83c098de0b86bec573203bea59425605e659f42c
- SHA256
  
  b75111e46193b174a4ddc4d39a112ef8c023a5c693df6650a5f1410e0016f7ef
- SHA512
  
  ef74c6291aa6eea1a0a1800e89682e1a599a97227730bf55e7bc06dce5d04224968e713ef8e797c22d2ae52c4787f6538bde9f704b0dced7f19540e1fa63f7ea
- SSDEEP
  
  768:F/UOgMne+nvV9fWpVPKFPl27L2vRmjJAU0rXRCOD8j34GTZy0heSS15WyItgUmdp:GOgMne+nvVuI0wKKItgUmdSZ7iwGtIir
Score

1^/10
behavioral5 behavioral6
- Target
  
  zh-Hans/System.Windows.Controls.Ribbon.resources.dll
- Size
  
  18KB
- MD5
  
  df2fc6490e58edfa221e393681ad6fda
- SHA1
  
  cbe533d79bd74154c0a42cee7bb0fa20150bc966
- SHA256
  
  a30c681bf7b52d6f91309fd921bf80df2ce7119c00d8a66330cb8945e48186c5
- SHA512
  
  0fcd8e190100be81e64850022af1ebc107f04be94132e65b531161c3b5925a31a1e7b05f0dd5e3d6f4710b4b83ffe0486f5814dfe1a08f417343a036e5749f65
- SSDEEP
  
  384:WhWu5Q36ertWV875kHRN7W++5I+R9zJKR4:iHQ36eI5WEi9zER4
Score

1^/10
behavioral7 behavioral8
- Target
  
  zh-Hans/System.Windows.Forms.Design.resources.dll
- Size
  
  141KB
- MD5
  
  62955b45cce45d9fd1cfcf0d946f6777
- SHA1
  
  e76accd806ebadd6051805cf034c9386bfe40e9e
- SHA256
  
  1fd16be3c684b2a127785790e355b031eacbb4e81b7891ab621d7db01dabd504
- SHA512
  
  ccb0ab489f3710fa5e1ef5cf8c111d98c7a22a719e363ad31a36349b35129d00c8026bc85165f95fd223452765e941332e47e508058c2769d2f8df6706a0546d
- SSDEEP
  
  3072:b5R9MtbGzbtyHZ/I11DKdwWorcP4IVCLAFmbZanokelG5YCVHBqDBvQBaKpWmsSm:bzSXJSHea/Iv2uo
Score

1^/10
behavioral10 behavioral9
- Target
  
  zh-Hans/System.Windows.Forms.Primitives.resources.dll
- Size
  
  15KB
- MD5
  
  6fa9fed408ade2884a94e7c8d1a7778c
- SHA1
  
  6df1a4f1e7fc14479e4e39c0dcc3d140cf12ff7c
- SHA256
  
  5bd79876c04b7a4b63ca0cd78edcde2e10770aa9f1ddf0c7c7132877f79d88c0
- SHA512
  
  56dd8ea02662d380afe46670f569a76fa3b184f7081cea80382caaed47780a4c1cc1d3f9f7c89018a19c3a39737706b18e2300f34a00cd453104491630ea10f4
- SSDEEP
  
  192:U7A6wePqOUWNiW4uWXebPpUNTQHnhWgN7aIWdSsRH+BEg7X01k9z3AQdKa:z6DqbWNiW4Tb2HRN7G8R9zr4a
Score

1^/10
behavioral11 behavioral12
- Target
  
  zh-Hans/System.Windows.Forms.resources.dll
- Size
  
  312KB
- MD5
  
  e9bcfcbd6ff63082c1af190cfb6e000d
- SHA1
  
  e6597132638cec51a30ea169bad12ed7e78c2797
- SHA256
  
  86ee444b40d7e5b1bc3079b17e600998f15570860948faf0e3327b7daaf39fa8
- SHA512
  
  cfdf45d9a872bb6d2314627c5eca1c47d207c8c70c1dfe661499786d106413ff1b5ae19f2a300c8b04052c3c3bb7f5eba9ffc8b19c1504277536d7afd8cef433
- SSDEEP
  
  6144:CqcUKNvHTngTvI4v18GWwPGtzwkbmNp6htBrF:CqcU9NyF
Score

1^/10
behavioral13 behavioral14
- Target
  
  zh-Hans/System.Windows.Input.Manipulations.resources.dll
- Size
  
  16KB
- MD5
  
  185eb76baf903123ce675848246f6433
- SHA1
  
  c412595c9b3e40365d78ecf29ead7c2818b3d292
- SHA256
  
  ab6c90e2050952dce7998487178901baa8f8e1415579666ab8332b6f73df3aaf
- SHA512
  
  2fcbc6da5d780ba31a584dc65370732418644cd636722f443f0c66bebc6c56af7b3337790e4104d5af0183ee6d6a49012adfaa5516cd0d611fde698981a87e34
- SSDEEP
  
  192:Xvh5I0AY+ptHCvZJaaQWpgjhuWXebPpUNTQHnhWgN7a8WnDasZmp8TKjX01k9z31:XpBE8QWpgjhTb2HRN7ZssWAR9zgX2iiN
Score

1^/10
behavioral15 behavioral16
- Target
  
  zh-Hans/System.Xaml.resources.dll
- Size
  
  59KB
- MD5
  
  d8a8c0ef8cb33fa59c223b5646e492e7
- SHA1
  
  6c8978eec29a9e5a5e4e6fb16261df88480c655c
- SHA256
  
  02badcc47cdfcf8a361bc9109024b911ef8882e0069d3a9397d66ea0189978e6
- SHA512
  
  0e6c81dc379912ec8ad89384d135b159e39dbcd23ae70e244d41e39b8e6d50cf1e0d0119c94ac9f29e0ae9ded3d4649506ab61faf412971b946a03182da363cc
- SSDEEP
  
  768:lZOvyTuLqN/q1SqsT+lGnTrcmc0oDSM13OQK3KG9/D+3CPQxU08ziXRmgu4O7/i9:avyXPjAmu32KfyyZmr4OLip9zTN
Score

1^/10
behavioral17 behavioral18
- Target
  
  zh-Hans/UIAutomationClient.resources.dll
- Size
  
  19KB
- MD5
  
  cacba1037a31dc19efdb546ae0faadd5
- SHA1
  
  1ad9f3e66969294fef49ac6eb6803b04761146b3
- SHA256
  
  08ad355f4e8eda849a3ace50b8c939dabb1f4669910f7837a047ac2ffd7b9c4a
- SHA512
  
  f802d0d9c7abb1cae13cdc4cd444188df8cdf9348073e7c2e0958289eedcaf75904b1f0b8caf7dafbc25be35458c06b0ba38e1aeb324d03784e5b0038c5b6f78
- SSDEEP
  
  384:afet3+LgiuatiF8tWSKAITb2HRN7oEnR9zV6Kbmv:Iet32g76iFrb/ioER9zVtbmv
Score

1^/10
behavioral19 behavioral20
- Target
  
  zh-Hans/UIAutomationClientSideProviders.resources.dll
- Size
  
  20KB
- MD5
  
  1ad80ceccbf82de5c4cb84192a8047f8
- SHA1
  
  a3626848a531c5a94ba4cb618ea54ecee0c8a252
- SHA256
  
  969b0fe234d4c281140e526041b143947c0cdb5c363568bba05b3023701f239a
- SHA512
  
  22433e7fb5418df762b93cd44974dd60b55642bd385b2cd52c1a38073d387c153dc5ff7866efb340a9e8cf8a9f10219520d70a15b2ef6f115c11a447a2ff2438
- SSDEEP
  
  384:6sRBH3FD8YtWKXUTb2HRN7Q/uVwR9z1PPBx:JRB3Fo4k/io9zZPH
Score

1^/10
behavioral21 behavioral22
- Target
  
  zh-Hans/UIAutomationProvider.resources.dll
- Size
  
  15KB
- MD5
  
  fea5351b7d23ece45687934c15ef8dcb
- SHA1
  
  744364cf4f0fd65e5001c33bcf3d4f6c66583f8c
- SHA256
  
  1b6f884d9956d737e34c41eb2013b782f5024164b11ae5006b88575947ab89c4
- SHA512
  
  cf4fa7095bcd855e68e4243b9906598a7b7b30ff8a2717b58c0692dc3d97e118ac83350dfa8dc02c750a549307ff78717c855dad7c264577b063fb85e1715556
- SSDEEP
  
  192:zZ3Z3r6WtZF2tWb+juWXebPpUNTQHnhWgN7a8WqdvYKKWDKHjj3SX01k9z3A8FPt:5lWEitWb+jTb2HRN7bb+Hj+R9ztPiLE
Score

1^/10
behavioral23 behavioral24
- Target
  
  zh-Hans/UIAutomationTypes.resources.dll
- Size
  
  17KB
- MD5
  
  53f28aa0ee8c9e79997452f4d5cef262
- SHA1
  
  68dfeec04a411e5a0ab091dc89d65df833af3c4c
- SHA256
  
  4f630e05a68bdf5e0bb830a7f186dd8305c9693a57016dcfec173981677e55eb
- SHA512
  
  a64e897f085e196f1b7155249bb77a0cd07e03995061c30bd37009ed46d8997edee2643331451e18724644b902a3ebb8bdf7922048ee869851650d02e8c9a645
- SSDEEP
  
  192:nOtCxS22SOB4datnztWLWRBJpcuWXebPpUNTQHnhWgN7aIWkjjH+BEg7X01k9z3t:OtCxDunztWIBcTb2HRN7/sR9zrx
Score

1^/10
behavioral25 behavioral26
- Target
  
  zh-Hans/WindowsBase.resources.dll
- Size
  
  77KB
- MD5
  
  3e6bb2e889a2c1fcf08ab60c40772f77
- SHA1
  
  6cf8e65bb60b547a242b6048533ceae6b36fda1b
- SHA256
  
  11765e2a7b3a3b424b99b45bd59c42ca976d29ed9f792d30e9b6bbd2f1d3fc5d
- SHA512
  
  fa3b68bd52a1c3c60e15f68b9e3be2f576f5997e315078073d0e7a07c58fb92b284b4f28581d094a9b73cf1d14fe057a89ee922048a83e4fa2d497939cf7ac37
- SSDEEP
  
  1536:7V+wjmTJyaQ4dPG8HTnhgMHgkwbcx8ma03BMLa6Y7lxnu4VPiShzUQ:77mTJyaQ7m6kwbY8mx/6Y7lxnu4VhhYQ
Score

1^/10
behavioral27 behavioral28
- Target
  
  zh-Hans/WindowsFormsIntegration.resources.dll
- Size
  
  15KB
- MD5
  
  0ca4233564dc1f5044e16c67f772cfdc
- SHA1
  
  0d914bb831a10e596a5a2f868a0fef922d9e4e16
- SHA256
  
  9387b4a9e6d8340fc12668f20118636c7a05334030c21cfee8ecd39f704fd1a8
- SHA512
  
  8cab430cfba6e2e5215ee013e57c30d271a467a06e3f0bb7bdddb964c8ed2b482d6741f0bec28004fb8c99a043bfc8c63f1e50e02e1ea77b083c35dbeb835db3
- SSDEEP
  
  384:TKtLFLHfFWq0tWSfNA5kHRN7AuxIUR9zD2:EZHfcqsTbxt9zK
Score

1^/10
behavioral29 behavioral30
- Target
  
  zh-Hant/Microsoft.VisualBasic.Forms.resources.dll
- Size
  
  24KB
- MD5
  
  7921979c52c5c19fec0ba986727cf025
- SHA1
  
  956e88381c7a92a15f3a59a8fe0739e95922381a
- SHA256
  
  19ba34c438964a1fa27d120f5e5022a20501dd97074df4776f16815707ca00db
- SHA512
  
  5a5d683cb7dd94ecc40d8a36a6c1de501456f4f10d9559787ac431ca0da7a5860487fd074125954019fed1c084ba8382e3181b826c416a06d8cff093b2099ea2
- SSDEEP
  
  384:HtyzKXSXRaRmInXdXxaxtSQuTmd21K/hCiy6lVgaWYHwhQ5WOW5kHRN7FsPI+R9q:NyzHIGtZa6w2VQ+/FBi9zENd
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects HijackLoader (aka IDAT Loader)

Rhadamanthys

Stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

.NET Reactor proctector

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32