hijackloader

General

Target

63079f34-b294-4790-bfd5-bbad82995295.zip
Size

4.1MB
Sample

240612-2fg1vstamb
MD5

d812765381c5cf8d7f685a7b5a91b121
SHA1

e11309f0c4d03c3f4f2d06ed822c1059c90eaa75
SHA256

2018909ea853d972659d1dee439da81b963d8addb44c87ed533ca6320112cac1
SHA512

add54e5fa7d651c35aace63dae6d3b638409a8c923401f625ee0f15a8fb80239fd373c4f34145bf776114d93daeaa6b3554e6f999d2ff87c296a06ae00439f97
SSDEEP

98304:LGjCR6FF3OY9XegtO4wmoVt/jU778tvNSIuumgf2Ie29:L43OWXegyVx4Wv9rf2d29

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

vor11

C2

http://45.132.105.157

Attributes

url_path
/eb155c7506e03ca9.php

Targets

- Target
  
  63079f34-b294-4790-bfd5-bbad82995295/snss1.exe
- Size
  
  2.5MB
- MD5
  
  000e90eccf68a55c18d556b9255e0cf7
- SHA1
  
  4ba436301ec8511e9e45647cd3f3298df47c0f07
- SHA256
  
  fbce9f6897452177133b628f8dcd289564c3d28428cdcd2cbed519d9b8724b07
- SHA512
  
  9c80be1473eade67ad2cdc034bfe3bd00fb949740c4933933dfe835c36c442a02a1aaa9c1e9a3fc2cc47e0ea02549a035e0e446685a1edc7c7049ec262f5d034
- SSDEEP
  
  49152:Yk70vECi0ZwHlZK+cw//RM73jR3ETZFF//X9yJWgs/CgEY:Yv2FZKkRM73jJETZT9mof
Score

10^/10

hijackloader stealc vor11 loader spyware stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Downloads MZ/PE file
- Deletes itself
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  63079f34-b294-4790-bfd5-bbad82995295/snss2.exe
- Size
  
  5.3MB
- MD5
  
  9e2eb8188c5a194014e46598cbc80c70
- SHA1
  
  d83d68b451836928c830808a9e408c8f2cce2210
- SHA256
  
  d265adb64a79f3b27e77e11e093342b2df14840266deedabf1189bc539cc58fb
- SHA512
  
  3ff5fa8c0f1eb5bd7bf46a5a27392fb0865d61d8c09549f9d7f29306e30275a5b3436c520f82142dc7d3780c468aab2e7c79361457f7c5aa11a132c1ec49c009
- SSDEEP
  
  98304:PlW75lC85H0kxwkL+Wd5Cz1ljuDDCNlSM:Pwhr+45CzvjBlh
Score

10^/10

hijackloader loader rhadamanthys stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects HijackLoader (aka IDAT Loader)

Stealc

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Detects HijackLoader (aka IDAT Loader)

HijackLoader

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Deletes itself

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4