hijackloader | ef62979af506ec3ac2c176bc667465940ca4a1e4f8229e0bc992fec715d43ae8

Resubmissions

19-06-2024 21:00

240619-ztfnva1fkd 10

19-06-2024 20:53

240619-zpdnpawalj 10

19-06-2024 20:28

240619-y876zazfpd 10

Analysis

max time kernel
515s
max time network
524s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hijackloader_stealc_new_hash.exe
Size

922KB
MD5

4081d00fabf6ba8e9eb58202ea053735
SHA1

22afaf01961b36e741d104bd3b96ce8df4fbf519
SHA256

ef62979af506ec3ac2c176bc667465940ca4a1e4f8229e0bc992fec715d43ae8
SHA512

1434efa23afd3cb95d0a55a17b246cbee0179072660ce0458701cf9b3b8075217b0864be09a2bbc428c2b9f2253cace6361f874ad8f1d2f472f9f34bd0bc4eda
SSDEEP

24576:e8inyEBCZN5hoVlnJXzJ/SEVSoMAALia4:DgABuxF/SRF4

Score

10^/10

hijackloader stealc cozy15 loader stealer

Malware Config

Extracted

Family

stealc

Botnet

cozy15

http://193.163.7.88

Attributes

url_path
/a69d09b357e06b52.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/4816-0-0x00000000007E0000-0x00000000008C8000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Deletes itself 1 IoCs

pid	Process
3356	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 3356	4816	hijackloader_stealc_new_hash.exe	83

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4816	hijackloader_stealc_new_hash.exe
4816	hijackloader_stealc_new_hash.exe
4536	powershell.exe
4536	powershell.exe
3356	cmd.exe
3356	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4816	hijackloader_stealc_new_hash.exe
3356	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeBackupPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3356	4816	hijackloader_stealc_new_hash.exe	83
PID 4816 wrote to memory of 3356	4816	hijackloader_stealc_new_hash.exe	83
PID 4816 wrote to memory of 3356	4816	hijackloader_stealc_new_hash.exe	83
PID 4816 wrote to memory of 3356	4816	hijackloader_stealc_new_hash.exe	83
PID 3356 wrote to memory of 1256	3356	cmd.exe	93
PID 3356 wrote to memory of 1256	3356	cmd.exe	93
PID 3356 wrote to memory of 1256	3356	cmd.exe	93
PID 3356 wrote to memory of 1256	3356	cmd.exe	93
PID 4536 wrote to memory of 4116	4536	powershell.exe	101
PID 4536 wrote to memory of 4116	4536	powershell.exe	101
PID 4536 wrote to memory of 1464	4536	powershell.exe	102
PID 4536 wrote to memory of 1464	4536	powershell.exe	102

C:\Users\Admin\AppData\Local\Temp\hijackloader_stealc_new_hash.exe
"C:\Users\Admin\AppData\Local\Temp\hijackloader_stealc_new_hash.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\system32\findstr.exe
  "C:\Windows\system32\findstr.exe" /i syswow64
  2⤵
  PID:4116
- C:\Windows\system32\findstr.exe
  "C:\Windows\system32\findstr.exe" /i explorer
  2⤵
  PID:1464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\891bb7d7

Filesize
861KB

MD5
14f4d8e5471727ec3788d11ab51a45f6

SHA1
e28744c99aa1cb040be65ea32215f3380edd4a11

SHA256
c6d3e4deadd7d055dc81546570027dd97afe5d2ef91f72513b0b2a278e3b85ac

SHA512
2f334a8b1b34a075f346563b7fbeb5871df40d09cd89d26141210a9753714cc17a5bddec8471438ac90c46688a49b7754147c7c3a3e659588becbe4524cdddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2jtcxai.jf1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1256-42-0x0000000000A40000-0x0000000000C7C000-memory.dmp

Filesize
2.2MB

Download
memory/1256-40-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

Filesize
2.0MB

Download
memory/1256-39-0x0000000000A40000-0x0000000000C7C000-memory.dmp

Filesize
2.2MB

Download
memory/1256-45-0x0000000000A40000-0x0000000000C7C000-memory.dmp

Filesize
2.2MB

Download
memory/3356-24-0x00000000755B1000-0x00000000755BF000-memory.dmp

Filesize
56KB

Download
memory/3356-38-0x00000000755B1000-0x00000000755BF000-memory.dmp

Filesize
56KB

Download
memory/3356-36-0x00000000755B1000-0x00000000755BF000-memory.dmp

Filesize
56KB

Download
memory/3356-29-0x00000000755B0000-0x000000007572B000-memory.dmp

Filesize
1.5MB

Download
memory/3356-28-0x00000000755B0000-0x000000007572B000-memory.dmp

Filesize
1.5MB

Download
memory/3356-26-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

Filesize
2.0MB

Download
memory/3356-46-0x00000000755B0000-0x000000007572B000-memory.dmp

Filesize
1.5MB

Download
memory/4536-17-0x0000021B3B230000-0x0000021B3B252000-memory.dmp

Filesize
136KB

Download
memory/4536-34-0x00007FFBF7970000-0x00007FFBF8431000-memory.dmp

Filesize
10.8MB

Download
memory/4536-21-0x0000021B3D740000-0x0000021B3D7B6000-memory.dmp

Filesize
472KB

Download
memory/4536-20-0x0000021B3D670000-0x0000021B3D6B4000-memory.dmp

Filesize
272KB

Download
memory/4536-19-0x00007FFBF7970000-0x00007FFBF8431000-memory.dmp

Filesize
10.8MB

Download
memory/4536-31-0x00007FFBF7973000-0x00007FFBF7975000-memory.dmp

Filesize
8KB

Download
memory/4536-32-0x0000021B3B260000-0x0000021B3B270000-memory.dmp

Filesize
64KB

Download
memory/4536-33-0x00007FFBF7970000-0x00007FFBF8431000-memory.dmp

Filesize
10.8MB

Download
memory/4536-35-0x0000021B3B260000-0x0000021B3B270000-memory.dmp

Filesize
64KB

Download
memory/4536-47-0x0000021B3B260000-0x0000021B3B270000-memory.dmp

Filesize
64KB

Download
memory/4536-18-0x00007FFBF7970000-0x00007FFBF8431000-memory.dmp

Filesize
10.8MB

Download
memory/4536-7-0x00007FFBF7973000-0x00007FFBF7975000-memory.dmp

Filesize
8KB

Download
memory/4816-0-0x00000000007E0000-0x00000000008C8000-memory.dmp

Filesize
928KB

Download
memory/4816-3-0x00000000755C2000-0x00000000755C4000-memory.dmp

Filesize
8KB

Download
memory/4816-4-0x00000000755B0000-0x000000007572B000-memory.dmp

Filesize
1.5MB

Download
memory/4816-2-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

Filesize
2.0MB

Download
memory/4816-1-0x00000000755B0000-0x000000007572B000-memory.dmp

Filesize
1.5MB

Download
memory/4816-22-0x00000000755B0000-0x000000007572B000-memory.dmp

Filesize
1.5MB

Download