hijackloader | c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39 | Triage

Submit
Reports

Overview

overview

Static

static

1

Dexis Setup.exe

windows10-2004-x64

Resubmissions

26-07-2024 23:18

240726-3ac1dsthre 10

11-06-2024 01:50

240611-b9q8hszbqh 10

09-06-2024 15:53

240609-tbyttach24 10

Sharing

General

Target

Dexis Setup.exe
Size

64.6MB
Sample

240609-tbyttach24
MD5

168e953440d699dc30a39402b4f6e625
SHA1

66efd121a3fdd79b3443f1204fc3a8a8e8d76d12
SHA256

c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39
SHA512

0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2
SSDEEP

1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS

Score

10^/10

hijackloader rhadamanthys stealc dex4 execution loader spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Dexis Setup.exe

Resource

win10v2004-20240508-en

hijackloader rhadamanthys stealc dex4 execution loader spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

stealc

Botnet

dex4

C2

http://45.88.77.28

Attributes

url_path
/f6a9d3a0017c37c9.php

Targets

- Target
  
  Dexis Setup.exe
- Size
  
  64.6MB
- MD5
  
  168e953440d699dc30a39402b4f6e625
- SHA1
  
  66efd121a3fdd79b3443f1204fc3a8a8e8d76d12
- SHA256
  
  c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39
- SHA512
  
  0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2
- SSDEEP
  
  1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS
Score

10^/10

hijackloader rhadamanthys stealc dex4 execution loader spyware stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

hijackloaderrhadamanthysstealcdex4executionloaderspywarestealer

© 2018-2024

Terms | Privacy