General

  • Target

    Cozy World Setup.exe

  • Size

    48.1MB

  • Sample

    240618-a2tg8svbkq

  • MD5

    416ed566ab4740bcd2bcc44e369a6672

  • SHA1

    efd6b78ac07cd1d47b626f228524918aa707f1a9

  • SHA256

    4cd4f861a3294923fc97f741927c8b67543ac54cfde6692c9e151920b1f61a19

  • SHA512

    315ad6047936fca672fba345174ff4921b92e7b47caea946c495e4532460339025f0b4d15a384cedcf0cc323874ff6685037e0b01481f94f55cfaa330420a668

  • SSDEEP

    786432:EHTkzt3QiZQr4wuTktm4L8KJ/aTHl9I3gMvsQd+d9KFzwBrM+uS1A/DI1TA4ROzL:EHwggTksbmaTHli/sQ/zAMhSW/kNSzI6

Malware Config

Extracted

Family

stealc

Botnet

cozy13

C2

http://45.132.105.157

Attributes
  • url_path

    /eb155c7506e03ca9.php

Targets

    • Target

      Cozy World Setup.exe

    • Size

      48.1MB

    • MD5

      416ed566ab4740bcd2bcc44e369a6672

    • SHA1

      efd6b78ac07cd1d47b626f228524918aa707f1a9

    • SHA256

      4cd4f861a3294923fc97f741927c8b67543ac54cfde6692c9e151920b1f61a19

    • SHA512

      315ad6047936fca672fba345174ff4921b92e7b47caea946c495e4532460339025f0b4d15a384cedcf0cc323874ff6685037e0b01481f94f55cfaa330420a668

    • SSDEEP

      786432:EHTkzt3QiZQr4wuTktm4L8KJ/aTHl9I3gMvsQd+d9KFzwBrM+uS1A/DI1TA4ROzL:EHwggTksbmaTHli/sQ/zAMhSW/kNSzI6

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Stealc

      Stealc is an infostealer written in C++.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Downloads MZ/PE file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks