Overview

overview

10

Static

static

10

hijackload...sh.exe

windows10-2004-x64

10

Resubmissions

19-06-2024 21:00

240619-ztfnva1fkd 10

19-06-2024 20:53

240619-zpdnpawalj 10

19-06-2024 20:28

240619-y876zazfpd 10

Analysis

  • max time kernel
    515s
  • max time network
    524s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hijackloader_stealc_new_hash.exe

  • Size

    922KB

  • MD5

    4081d00fabf6ba8e9eb58202ea053735

  • SHA1

    22afaf01961b36e741d104bd3b96ce8df4fbf519

  • SHA256

    ef62979af506ec3ac2c176bc667465940ca4a1e4f8229e0bc992fec715d43ae8

  • SHA512

    1434efa23afd3cb95d0a55a17b246cbee0179072660ce0458701cf9b3b8075217b0864be09a2bbc428c2b9f2253cace6361f874ad8f1d2f472f9f34bd0bc4eda

  • SSDEEP

    24576:e8inyEBCZN5hoVlnJXzJ/SEVSoMAALia4:DgABuxF/SRF4

Score
10/10
hijackloaderstealccozy15loaderstealer

Malware Config

Extracted

Family

stealc

Botnet

cozy15

C2

http://193.163.7.88

Attributes
  • url_path

    /a69d09b357e06b52.php

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hijackloader_stealc_new_hash.exe
    "C:\Users\Admin\AppData\Local\Temp\hijackloader_stealc_new_hash.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Deletes itself
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
          PID:1256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\system32\findstr.exe
        "C:\Windows\system32\findstr.exe" /i syswow64
        2⤵
          PID:4116
        • C:\Windows\system32\findstr.exe
          "C:\Windows\system32\findstr.exe" /i explorer
          2⤵
            PID:1464

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\891bb7d7
          Filesize

          861KB

          MD5

          14f4d8e5471727ec3788d11ab51a45f6

          SHA1

          e28744c99aa1cb040be65ea32215f3380edd4a11

          SHA256

          c6d3e4deadd7d055dc81546570027dd97afe5d2ef91f72513b0b2a278e3b85ac

          SHA512

          2f334a8b1b34a075f346563b7fbeb5871df40d09cd89d26141210a9753714cc17a5bddec8471438ac90c46688a49b7754147c7c3a3e659588becbe4524cdddde

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2jtcxai.jf1.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • memory/1256-42-0x0000000000A40000-0x0000000000C7C000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/1256-40-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/1256-39-0x0000000000A40000-0x0000000000C7C000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/1256-45-0x0000000000A40000-0x0000000000C7C000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/3356-24-0x00000000755B1000-0x00000000755BF000-memory.dmp
          Filesize

          56KB

          Download
        • memory/3356-38-0x00000000755B1000-0x00000000755BF000-memory.dmp
          Filesize

          56KB

          Download
        • memory/3356-36-0x00000000755B1000-0x00000000755BF000-memory.dmp
          Filesize

          56KB

          Download
        • memory/3356-29-0x00000000755B0000-0x000000007572B000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/3356-28-0x00000000755B0000-0x000000007572B000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/3356-26-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/3356-46-0x00000000755B0000-0x000000007572B000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/4536-17-0x0000021B3B230000-0x0000021B3B252000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4536-34-0x00007FFBF7970000-0x00007FFBF8431000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4536-21-0x0000021B3D740000-0x0000021B3D7B6000-memory.dmp
          Filesize

          472KB

          Download
        • memory/4536-20-0x0000021B3D670000-0x0000021B3D6B4000-memory.dmp
          Filesize

          272KB

          Download
        • memory/4536-19-0x00007FFBF7970000-0x00007FFBF8431000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4536-31-0x00007FFBF7973000-0x00007FFBF7975000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4536-32-0x0000021B3B260000-0x0000021B3B270000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4536-33-0x00007FFBF7970000-0x00007FFBF8431000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4536-35-0x0000021B3B260000-0x0000021B3B270000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4536-47-0x0000021B3B260000-0x0000021B3B270000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4536-18-0x00007FFBF7970000-0x00007FFBF8431000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4536-7-0x00007FFBF7973000-0x00007FFBF7975000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4816-0-0x00000000007E0000-0x00000000008C8000-memory.dmp
          Filesize

          928KB

          Download
        • memory/4816-3-0x00000000755C2000-0x00000000755C4000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4816-4-0x00000000755B0000-0x000000007572B000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/4816-2-0x00007FFC16230000-0x00007FFC16425000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4816-1-0x00000000755B0000-0x000000007572B000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/4816-22-0x00000000755B0000-0x000000007572B000-memory.dmp
          Filesize

          1.5MB

          Download