hijackloader

Resubmissions

19-06-2024 01:29

240619-bv78gswajp 10

19-06-2024 01:23

240619-brv4ravhkp 7

Sharing

Copy URL

Twitter E-mail

General

Target

Vorion App Setup.exe
Size

47.3MB
Sample

240619-bv78gswajp
MD5

019deea60b1ed114c79d7e99d6f34c62
SHA1

71e928e93900ab62d379104fd0c847f35e6f87ce
SHA256

48320cb8fd5ed9a3ccbaf9fc03bd160c3694c79d0efc8a8cf899069fc1d8e677
SHA512

8c0ad3b65fe10f9fd16ef54e432b2dbca31343d62820f9ec63028a810bb2088397c2c7db4c2689ca39eceb75f3736379ed31d5d0acdd6784def3ca538a93b3c2
SSDEEP

786432:OeMGFdbCRVH/wb1eGgw6lxr7gyvFRN3GQ5PesBc8t9u4lVqwODANujJ7j8:OQdS/wgGg5nr7gy8sBc8Luu8Akj8

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

vor13

http://45.132.105.157

Attributes

url_path
/eb155c7506e03ca9.php

Targets

- Target
  
  Vorion App Setup.exe
- Size
  
  47.3MB
- MD5
  
  019deea60b1ed114c79d7e99d6f34c62
- SHA1
  
  71e928e93900ab62d379104fd0c847f35e6f87ce
- SHA256
  
  48320cb8fd5ed9a3ccbaf9fc03bd160c3694c79d0efc8a8cf899069fc1d8e677
- SHA512
  
  8c0ad3b65fe10f9fd16ef54e432b2dbca31343d62820f9ec63028a810bb2088397c2c7db4c2689ca39eceb75f3736379ed31d5d0acdd6784def3ca538a93b3c2
- SSDEEP
  
  786432:OeMGFdbCRVH/wb1eGgw6lxr7gyvFRN3GQ5PesBc8t9u4lVqwODANujJ7j8:OQdS/wgGg5nr7gy8sBc8Luu8Akj8
Score

10^/10

hijackloader stealc vor13 discovery execution loader spyware stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  15KB
- MD5
  
  d095b082b7c5ba4665d40d9c5042af6d
- SHA1
  
  2220277304af105ca6c56219f56f04e894b28d27
- SHA256
  
  b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
- SHA512
  
  61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9
- SSDEEP
  
  192:EyGQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoTr11929WtshLAzgSrX8:EyNt+4t7uJalUnGesY7Lt8nCr/Yosa
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  50016010fb0d8db2bc4cd258ceb43be5
- SHA1
  
  44ba95ee12e69da72478cf358c93533a9c7a01dc
- SHA256
  
  32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
- SHA512
  
  ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233
- SSDEEP
  
  48:S46+/pTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8m/ofjLl:zbuPbO5tCZBVEAWyMEFv2CmCL
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  4add245d4ba34b04f213409bfe504c07
- SHA1
  
  ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
- SHA256
  
  9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
- SHA512
  
  1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
- SSDEEP
  
  192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score

3^/10
behavioral7 behavioral8
- Target
  
  Accessibility.dll
- Size
  
  20KB
- MD5
  
  fb554f9fe0b91f135d26ac6459cfd6f2
- SHA1
  
  b1269a2c28bded872b14fe70b69484631ef3a65d
- SHA256
  
  929ea150ad45b7c7dd5427461fbec44d43b67c08081f59b42b6abf570feae271
- SHA512
  
  8dffde6cddfc59ec380111fd36048126559e1f1e080c081ca0d09021bb23d6888e93e1659c7b3a8fa46f76602b03cf3e638ec1a80fba79e51648dcb32362e10c
- SSDEEP
  
  384:qBmy0h6gSGRaOcHitWG/W65kHRN7lI+R9zJKBd:7SNOcHOUOi9zEBd
Score

1^/10
behavioral10 behavioral9
- Target
  
  D3DCompiler_47_cor3.dll
- Size
  
  4.7MB
- MD5
  
  03a60a6652caf4f49ea5912ce4e1b33c
- SHA1
  
  a0d949d4af7b1048dc55e39d1d1260a1e0660c4f
- SHA256
  
  b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3
- SHA512
  
  6711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4
- SSDEEP
  
  49152:xCZnRO4XyM53Rkq4ypQqdoRpmrgBVYvkaRwv/ZD0/WYLDltog/RfznLeHTRhFRNI:YG2QCS6HHzog/pznA7T6VP
Score

1^/10
behavioral11
- Target
  
  DirectWriteForwarder.dll
- Size
  
  526KB
- MD5
  
  69044c681ea1eedca54d13ed97e1452a
- SHA1
  
  f4fbb066afa38be160fc4462994b2cdb67af5cca
- SHA256
  
  778936b5baf157c3a040955bc637936952e7b68c5aff83536d4b613ed9691cde
- SHA512
  
  4aed9e46d1670e6b85254bf905e4bcc53e3fa9d7e1b29d434c86ee42feb90a992e80057ad476ee4561389368ed8308e9f9548012d85dec26dcda9dc2ecb766d8
- SSDEEP
  
  6144:PQd8G8WEjiXSMYhtsOljgEk+hY8rY2JQT296UKf12fzfOqpo0EVbn95n3i1+wZ:P5G8WEjiX/Yvh0E9rY2NDJO0Cbn9d3S5
Score

1^/10
behavioral12 behavioral13
- Target
  
  Microsoft.CSharp.dll
- Size
  
  982KB
- MD5
  
  8e7612cc8019d952a93d9b777e71b802
- SHA1
  
  d973dfb790614e9a5e7c3ce8b421c085d11937ed
- SHA256
  
  df495f74456ad5ae30a5bac440b4d3808fa2d13c377cce1afc0146b8319ded6e
- SHA512
  
  3a818940d3c6f5da11bc86c974a54323ae2a1ad876613790ffe68aa5b674c54e5de0c133614236f45a89de86a5547cae4f8e6f2c97d7874221b2b1a285e14355
- SSDEEP
  
  24576:XUpXJ0Hy8Ext+9whtbSa0wHVu9yH1sCzwUD/zD:EpXiHyN++tbLzHVu9yHXPjH
Score

1^/10
behavioral14 behavioral15
- Target
  
  Microsoft.DiaSymReader.Native.amd64.dll
- Size
  
  1.8MB
- MD5
  
  804b9539f7be4ece92993dc95c8486f5
- SHA1
  
  ec3ca8f8d3cd2f68f676ad831f3f736d9c64895c
- SHA256
  
  76d0da51c2ed6ce4de34f0f703af564cbefd54766572a36b5a45494a88479e0b
- SHA512
  
  146c3b2a0416ac19b29a281e3fc3a9c4c5d6bdfc45444c2619f8f91beb0bdd615b26d5bd73f0537a4158f81b5eb3b9b4605b3e2000425f38eeeb94aa8b1a49f2
- SSDEEP
  
  24576:qz0s9kT3H8I0bo5rjwjnbRCJMy37DjZ3IrVynoT/RUqtMAIEohkGXTwImgP:qYs9m3H5rjQn1CiAnZ3yV+oTZQEoTTH
Score

1^/10
behavioral16 behavioral17
- Target
  
  Microsoft.VisualBasic.Core.dll
- Size
  
  1.2MB
- MD5
  
  3a037c21af5742650933cebf0521f3d6
- SHA1
  
  8b22127c4feb185c5d02d83b5f1fe3815821036c
- SHA256
  
  34271825351d9871583dead758b44676ef2bac56c4b7ac7124fadb087ea44f6e
- SHA512
  
  3451bd4b3053d3834f07fc1d0d6a691fdadab2b7290d1ad21b48e9f319249aac89455b1caea463beb4b2910b90b7f8a518221b2f3b0e3863beca3104030c8ee3
- SSDEEP
  
  24576:qFMvfAlbPZy4jHHa2frxkxRecGSIsRv3i6hFqQX:qFMvolTvHHa2DqT3i4
Score

1^/10
behavioral18 behavioral19
- Target
  
  Microsoft.VisualBasic.Forms.dll
- Size
  
  242KB
- MD5
  
  79fe89013356423a12f52fb8a09a54c7
- SHA1
  
  3e5fda4b2c8d3b41c9b88404a01a2b8dcfd06ebe
- SHA256
  
  62878ad85c315f06a00f7f1f543bba3f411838e80fb7bfe4d6f6ec935930efdc
- SHA512
  
  3a3d927a7944b40fcc6990c94574eb42b1e7fcbbd29f405d0dc5471c63549c63f7b7c61a3d17c2fd33cfc21c4bab0492e6532b6542cb4d24e10bd9dd0bb249d3
- SSDEEP
  
  6144:K6IA96ZdbZRjEtB5dzAbxbDme2NUIPOzQI:f9MbYZdGpgUwOcI
Score

1^/10
behavioral20 behavioral21
- Target
  
  Microsoft.VisualBasic.dll
- Size
  
  18KB
- MD5
  
  e5ce0f3a5d15d8b6693724c40197a9fe
- SHA1
  
  2e0b6bfdbb5c185ca71fe1d5b5f0eab18d568471
- SHA256
  
  9d20ca17355838ff3d2f3c89fbaf7c705bd01d297d1eb589489a84f6430da894
- SHA512
  
  3b87f295c1d914dc1ae95798e2ee1fcef40dc0ab1688ec247d4c2c777c253912980ecc8bfba11f0327a9d8bda9c1c36752de9ba936cba902ccb4cbfa7e82a26d
- SSDEEP
  
  384:+2gfnShxL2GlzxWmHr9QdWTTb2HRN7AxR9zr75:+5n6lZlzX/iA79zh
Score

1^/10
behavioral22 behavioral23
- Target
  
  Microsoft.Win32.Primitives.dll
- Size
  
  15KB
- MD5
  
  300c95ff95b52e8a02fec6bfcfa58225
- SHA1
  
  b646f89fcd463ad5c19889b4fea40540568b780c
- SHA256
  
  f1b40565e5c4c41da810aee5b7d2272a0906e88f796812435aa5ed712bcac40c
- SHA512
  
  9bfe0eb6eea98b2d35aa42986a273ec82424143965e173b32bb4b7e5537580a027940a6952a45fc54f0b665e871deb2a95651106c2f24c7de3b3d3cd2dec7e89
- SSDEEP
  
  192:Vi0pAxFWh/pWYuWXebPpUNTQHnhWgN7agWlnfEl+X01k9z3AE1a9Fb4hk6gn:ViMeFWh/pWYTb2HRN7cY+R9zF1aLchkv
Score

1^/10
behavioral24 behavioral25
- Target
  
  Microsoft.Win32.Registry.AccessControl.dll
- Size
  
  34KB
- MD5
  
  8ed7b1aa897a85bd5619220f28be88ef
- SHA1
  
  539839a6fc00d462340d569fff8f42b06010df8f
- SHA256
  
  9ee0d84655655e39ede6d23aed940c98a3a8eb6270d878b252ea1720f750cead
- SHA512
  
  2caacc3f8b5084effeac526873365697f72e242fbaa71a94fe5e739dbfe5dd35a85ad618d31d2ddc65d648c3f2f5ad436d14f9d4bcaa813e88e4bf1643e3a196
- SSDEEP
  
  384:FWFPrWFVHFcKRKbUWTb2HRN7Jr+Hj+R9zjj2X:M6FvRKbH/iwHji9zY
Score

1^/10
behavioral26 behavioral27
- Target
  
  Microsoft.Win32.Registry.dll
- Size
  
  118KB
- MD5
  
  b69cd4e54d44e1d73ebe2c1a492dff43
- SHA1
  
  44739e4f0a64cd1dce73afddae1e27c20e663757
- SHA256
  
  e1c83bc80e79863e80cfaca350291ae5bdf942c59f39e812770039bdaa660ac9
- SHA512
  
  9aaf53d69401175f35f079b031806266ec419170205a0291f38986a4b1cc39704f1e081ff18d178b0fb9d9b5eaceca60384e7e1fa2eeaaab88b2e157a1f8e667
- SSDEEP
  
  3072:5vauwrxjsbG4TJ6UJSvEVcULVi8AiC1HLP:AQ64t6UJSvEVzIlb
Score

1^/10
behavioral28 behavioral29
- Target
  
  Microsoft.Win32.SystemEvents.dll
- Size
  
  94KB
- MD5
  
  089edcaae873c9371b2dc9a4399f62b9
- SHA1
  
  441686e76986ecf295e50e80a78dc093dc9f9a02
- SHA256
  
  c81a58bd27c74f91e26245c530c4cadc5425a1a1586886c6a5631eef9d81fde2
- SHA512
  
  6b88f9264fdbbb0585efa21940fc888c593862ebb3bd305890294f64b37a81967a8ab2fbba30aa3f5db2994c25c57929df1644e269be898b77c77d4c0181f943
- SSDEEP
  
  1536:BF0vV+d5uN62jM2HHdKCqN/4IGrtsD3jvSD7Tir+zr:Bav8d8N5jpH0QIGrYjW7l3
Score

1^/10
behavioral30 behavioral31
- Target
  
  PenImc_cor3.dll
- Size
  
  158KB
- MD5
  
  362e037c4be1cb28fac25612e9be029d
- SHA1
  
  4a11ab39dbd0dba5480f54324c58f8294b19ce5f
- SHA256
  
  f95b51b5bee746ea3430a277f0473f42e4e22fc12b8dbfc719346cee579b80ff
- SHA512
  
  945b6cc6cba7742323b6cc023eb78b227180bf8a0f8c134871948410b48d9399ae68f52ef80e18945fb018508f92ae6da9584c75c6f12fe06f6e86fdea4611d6
- SSDEEP
  
  3072:OzAUq2kMBlUb8BQLBzDUw7aaHSuEmUgPuoATZ+AiRvYY4ZmoJ:OzHkMTvmLtDUw2huEmd2LbYvi
Score

1^/10
behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Detects HijackLoader (aka IDAT Loader)

Stealc

Command and Scripting Interpreter: PowerShell

.NET Reactor proctector

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32