Overview

overview

10

Static

static

10

hijackload...sh.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hijackloader_stealc_new_hash.exe

  • Size

    922KB

  • MD5

    8839a2699343f7756f66a81a6baea1a7

  • SHA1

    589e64aacc11f8b530a8c5408d51ca65d103205b

  • SHA256

    6d3da611ddf750a9445e040cfae4a6c09f333f18f124dedf42bd2235f9405406

  • SHA512

    3cffd09b4a646c4e3e1b46f6d38b088df6ca74a40bccb2c807d4027bec9878813d246ec82e4ebb408eb9e497651fb80d86cfabc62251edb8068b4a2f1644db0d

  • SSDEEP

    24576:e8inPEBCZN5hoVlnJXzJ/SEVSoMAALia4:Dg5BuxF/SRF4

Score
10/10
hijackloaderstealccozy15loaderstealer

Malware Config

Extracted

Family

stealc

Botnet

cozy15

C2

http://193.163.7.88

Attributes
  • url_path

    /a69d09b357e06b52.php

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hijackloader_stealc_new_hash.exe
    "C:\Users\Admin\AppData\Local\Temp\hijackloader_stealc_new_hash.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Deletes itself
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
          PID:648

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\99002a25
      Filesize

      861KB

      MD5

      6702bd8b4bc5e3bb724ced63976ee4c4

      SHA1

      768a3a97fcbcf70a40914848da08140e3e6e8628

      SHA256

      69e06edc87abd0cba46df906d3d631199ed70e706396838b1e00599fbdec7f40

      SHA512

      fad2e49d4559162ab99a8b32faa427c5134b1bba983808899b20831bf41f23a8115e882b52d29f610849c38231f7ccd16613d8c192df380e10c3c343b91c6e32

      Download Submit

    • memory/208-7-0x00000000749A0000-0x0000000074B1B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/208-13-0x00000000749A0000-0x0000000074B1B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/208-11-0x00000000749A0000-0x0000000074B1B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/208-10-0x00000000749A0000-0x0000000074B1B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/208-9-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/648-14-0x0000000000AB0000-0x0000000000CEC000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/648-15-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/648-16-0x0000000000AB0000-0x0000000000CEC000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/648-20-0x0000000000370000-0x00000000007A3000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/648-19-0x0000000000453000-0x000000000045B000-memory.dmp

      Filesize

      32KB

      Download

    • memory/648-21-0x0000000000AB0000-0x0000000000CEC000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3708-5-0x00000000749A0000-0x0000000074B1B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3708-4-0x00000000749A0000-0x0000000074B1B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3708-3-0x00000000749B2000-0x00000000749B4000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3708-2-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3708-1-0x00000000749A0000-0x0000000074B1B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3708-0-0x00000000007E0000-0x00000000008C8000-memory.dmp

      Filesize

      928KB

      Download