hijackloader | b0e5fddc8448dc854ab400c9b0ac82c43a2f44fa6970cd2975e7d28116a7740d

General

Target

1aeb3a19d439d8a4a00313d12f463827.exe
Size

989KB
MD5

1aeb3a19d439d8a4a00313d12f463827
SHA1

beedd7366e1ef168595d800ebe013067c78775de
SHA256

b0e5fddc8448dc854ab400c9b0ac82c43a2f44fa6970cd2975e7d28116a7740d
SHA512

074c2316d385feb4c78e6068a8fbf37d570bb9ee87a69b76bc3878a1b18eb9f97ca6511709008dcc60158d0dc81395adaed5e309d0266ed7713e7e5e4e442422
SSDEEP

24576:liG03BDYmHDQKcdE2v4jtaUN4cDHZgboRxRprGE:oJYuHTI4jJJObkf

Score

10^/10

hijackloader stealc night26 loader spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

night26

C2

http://188.130.207.35

Attributes

url_path
/0b92e7ab19e861f9.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/1492-5-0x0000000140000000-0x0000000140112000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
628	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2684	explorer.exe
2684	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 628	1492	1aeb3a19d439d8a4a00313d12f463827.exe	28

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2012	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1492	1aeb3a19d439d8a4a00313d12f463827.exe
1492	1aeb3a19d439d8a4a00313d12f463827.exe
628	cmd.exe
628	cmd.exe
2684	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1492	1aeb3a19d439d8a4a00313d12f463827.exe
628	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 628	1492	1aeb3a19d439d8a4a00313d12f463827.exe	28
PID 1492 wrote to memory of 628	1492	1aeb3a19d439d8a4a00313d12f463827.exe	28
PID 1492 wrote to memory of 628	1492	1aeb3a19d439d8a4a00313d12f463827.exe	28
PID 1492 wrote to memory of 628	1492	1aeb3a19d439d8a4a00313d12f463827.exe	28
PID 1492 wrote to memory of 628	1492	1aeb3a19d439d8a4a00313d12f463827.exe	28
PID 628 wrote to memory of 2684	628	cmd.exe	30
PID 628 wrote to memory of 2684	628	cmd.exe	30
PID 628 wrote to memory of 2684	628	cmd.exe	30
PID 628 wrote to memory of 2684	628	cmd.exe	30
PID 628 wrote to memory of 2684	628	cmd.exe	30
PID 2684 wrote to memory of 348	2684	explorer.exe	33
PID 2684 wrote to memory of 348	2684	explorer.exe	33
PID 2684 wrote to memory of 348	2684	explorer.exe	33
PID 2684 wrote to memory of 348	2684	explorer.exe	33
PID 348 wrote to memory of 2012	348	cmd.exe	35
PID 348 wrote to memory of 2012	348	cmd.exe	35
PID 348 wrote to memory of 2012	348	cmd.exe	35
PID 348 wrote to memory of 2012	348	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\1aeb3a19d439d8a4a00313d12f463827.exe
"C:\Users\Admin\AppData\Local\Temp\1aeb3a19d439d8a4a00313d12f463827.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94954463

Filesize
870KB

MD5
71b20149e581b8437a0d624684b98013

SHA1
7c9e6febc8f8e88abb75cd1bde13bc2daeb6bde0

SHA256
70ccd6684cbdbb1732345bac57ba7d48813b7cc9344fbd87476183f6d8d20048

SHA512
0a2c956bdeee8a7cb654e511de606316cf9d949baa387cbb7a735daaea97f8335b3f36f1a4854f4ca6b2ae2a96b6d502f992cce8c00c112678f1747c8cf5bc2c

Download Submit
C:\Users\Admin\AppData\Roaming\NewFileTime\NewFileTime.ini

Filesize
25B

MD5
71bfa4b1b2a2049befa50a86463a014f

SHA1
8ca6218c1f92b40da01501e18786cc2724e4c769

SHA256
a4683279940ca2ea6c25b63f07f41d7e2eab4ac3246ff57c8c771e7c923abd29

SHA512
574ccbc6a9387eed4e74af3e06a5023db1f74e24a8a9f3e9a96bee77483c3e5da257df4ff7976f7e389f51ec9ca89c56b103186fe499f5f3839738cafe657735

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/628-14-0x000000007546E000-0x0000000075470000-memory.dmp

Filesize
8KB

Download
memory/628-63-0x000000007546E000-0x0000000075470000-memory.dmp

Filesize
8KB

Download
memory/628-17-0x0000000075460000-0x00000000755D4000-memory.dmp

Filesize
1.5MB

Download
memory/628-12-0x0000000077C20000-0x0000000077DC9000-memory.dmp

Filesize
1.7MB

Download
memory/628-13-0x0000000075460000-0x00000000755D4000-memory.dmp

Filesize
1.5MB

Download
memory/628-15-0x0000000075460000-0x00000000755D4000-memory.dmp

Filesize
1.5MB

Download
memory/1492-9-0x000007FEF72D0000-0x000007FEF7428000-memory.dmp

Filesize
1.3MB

Download
memory/1492-8-0x000007FEF72D0000-0x000007FEF7428000-memory.dmp

Filesize
1.3MB

Download
memory/1492-7-0x000007FEF72E8000-0x000007FEF72E9000-memory.dmp

Filesize
4KB

Download
memory/1492-6-0x000007FEF72D0000-0x000007FEF7428000-memory.dmp

Filesize
1.3MB

Download
memory/1492-5-0x0000000140000000-0x0000000140112000-memory.dmp

Filesize
1.1MB

Download
memory/2684-18-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2684-19-0x0000000077C20000-0x0000000077DC9000-memory.dmp

Filesize
1.7MB

Download
memory/2684-20-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2684-23-0x0000000000730000-0x00000000009B1000-memory.dmp

Filesize
2.5MB

Download
memory/2684-22-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/2684-24-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2684-62-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download
memory/2684-87-0x0000000000400000-0x000000000063D000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing