Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
19-06-2024 21:32
General
-
Target
hijackloader_stealc_new_hash.exe
-
Size
922KB
-
MD5
8839a2699343f7756f66a81a6baea1a7
-
SHA1
589e64aacc11f8b530a8c5408d51ca65d103205b
-
SHA256
6d3da611ddf750a9445e040cfae4a6c09f333f18f124dedf42bd2235f9405406
-
SHA512
3cffd09b4a646c4e3e1b46f6d38b088df6ca74a40bccb2c807d4027bec9878813d246ec82e4ebb408eb9e497651fb80d86cfabc62251edb8068b4a2f1644db0d
-
SSDEEP
24576:e8inPEBCZN5hoVlnJXzJ/SEVSoMAALia4:Dg5BuxF/SRF4
Malware Config
Extracted
stealc
cozy15
http://193.163.7.88
-
url_path
/a69d09b357e06b52.php
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Stealc
Stealc is an infostealer written in C++.
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\hijackloader_stealc_new_hash.exe"C:\Users\Admin\AppData\Local\Temp\hijackloader_stealc_new_hash.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99002a25Filesize
861KB
MD56702bd8b4bc5e3bb724ced63976ee4c4
SHA1768a3a97fcbcf70a40914848da08140e3e6e8628
SHA25669e06edc87abd0cba46df906d3d631199ed70e706396838b1e00599fbdec7f40
SHA512fad2e49d4559162ab99a8b32faa427c5134b1bba983808899b20831bf41f23a8115e882b52d29f610849c38231f7ccd16613d8c192df380e10c3c343b91c6e32
-
memory/208-7-0x00000000749A0000-0x0000000074B1B000-memory.dmpFilesize
1.5MB
-
memory/208-13-0x00000000749A0000-0x0000000074B1B000-memory.dmpFilesize
1.5MB
-
memory/208-11-0x00000000749A0000-0x0000000074B1B000-memory.dmpFilesize
1.5MB
-
memory/208-10-0x00000000749A0000-0x0000000074B1B000-memory.dmpFilesize
1.5MB
-
memory/208-9-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmpFilesize
2.0MB
-
memory/648-14-0x0000000000AB0000-0x0000000000CEC000-memory.dmpFilesize
2.2MB
-
memory/648-15-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmpFilesize
2.0MB
-
memory/648-16-0x0000000000AB0000-0x0000000000CEC000-memory.dmpFilesize
2.2MB
-
memory/648-20-0x0000000000370000-0x00000000007A3000-memory.dmpFilesize
4.2MB
-
memory/648-19-0x0000000000453000-0x000000000045B000-memory.dmpFilesize
32KB
-
memory/648-21-0x0000000000AB0000-0x0000000000CEC000-memory.dmpFilesize
2.2MB
-
memory/3708-5-0x00000000749A0000-0x0000000074B1B000-memory.dmpFilesize
1.5MB
-
memory/3708-4-0x00000000749A0000-0x0000000074B1B000-memory.dmpFilesize
1.5MB
-
memory/3708-3-0x00000000749B2000-0x00000000749B4000-memory.dmpFilesize
8KB
-
memory/3708-2-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmpFilesize
2.0MB
-
memory/3708-1-0x00000000749A0000-0x0000000074B1B000-memory.dmpFilesize
1.5MB
-
memory/3708-0-0x00000000007E0000-0x00000000008C8000-memory.dmpFilesize
928KB