hijackloader | 4cd4f861a3294923fc97f741927c8b67543ac54cfde6692c9e151920b1f61a19 | Triage

Submit
Reports

Overview

overview

Static

static

7

Cozy World Setup.exe

windows10-2004-x64

Sharing

General

Target

Cozy World Setup.exe
Size

48.1MB
Sample

240618-a2tg8svbkq
MD5

416ed566ab4740bcd2bcc44e369a6672
SHA1

efd6b78ac07cd1d47b626f228524918aa707f1a9
SHA256

4cd4f861a3294923fc97f741927c8b67543ac54cfde6692c9e151920b1f61a19
SHA512

315ad6047936fca672fba345174ff4921b92e7b47caea946c495e4532460339025f0b4d15a384cedcf0cc323874ff6685037e0b01481f94f55cfaa330420a668
SSDEEP

786432:EHTkzt3QiZQr4wuTktm4L8KJ/aTHl9I3gMvsQd+d9KFzwBrM+uS1A/DI1TA4ROzL:EHwggTksbmaTHli/sQ/zAMhSW/kNSzI6

Score

10^/10

hijackloader stealc cozy13 discovery execution loader spyware stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Cozy World Setup.exe

Resource

win10v2004-20240508-en

hijackloader stealc cozy13 discovery execution loader spyware stealer

windows10-2004-x64

19 signatures

600 seconds

Malware Config

Extracted

Family

stealc

Botnet

cozy13

C2

http://45.132.105.157

Attributes

url_path
/eb155c7506e03ca9.php

Targets

- Target
  
  Cozy World Setup.exe
- Size
  
  48.1MB
- MD5
  
  416ed566ab4740bcd2bcc44e369a6672
- SHA1
  
  efd6b78ac07cd1d47b626f228524918aa707f1a9
- SHA256
  
  4cd4f861a3294923fc97f741927c8b67543ac54cfde6692c9e151920b1f61a19
- SHA512
  
  315ad6047936fca672fba345174ff4921b92e7b47caea946c495e4532460339025f0b4d15a384cedcf0cc323874ff6685037e0b01481f94f55cfaa330420a668
- SSDEEP
  
  786432:EHTkzt3QiZQr4wuTktm4L8KJ/aTHl9I3gMvsQd+d9KFzwBrM+uS1A/DI1TA4ROzL:EHwggTksbmaTHli/sQ/zAMhSW/kNSzI6
Score

10^/10

hijackloader stealc cozy13 discovery execution loader spyware stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

hijackloaderstealccozy13discoveryexecutionloaderspywarestealer

© 2018-2024

Terms | Privacy