Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://room.icu

windows10-2004-x64

10

http://room.icu

windows11-21h2-x64

10

http://room.icu

macos-10.15-amd64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://room.icu

  • Sample

    240603-r1cxjahg4y

Score
10/10
hijackloaderrhadamanthysstealcdoralands1discoveryevasionexecutionloadermacosspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

doralands1

C2

http://45.88.79.153

Attributes
  • url_path

    /e36377ea7ac96c9f.php

Targets

    • Target

      http://room.icu

    Score
    10/10
    hijackloaderrhadamanthysstealcdoralands1discoveryexecutionloaderspywarestealerevasion

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

      loaderhijackloader

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Loads dropped DLL

    • Queries the macOS version information.

      An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

      discovery

    • System Checks

      Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.

      evasion

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.

      evasion

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

AppleScript

1
T1059.002

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Hide Artifacts

1
T1564

Resource Forking

1
T1564.009

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

4
T1082

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Query Registry

3
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks