hijackloader | b0e5fddc8448dc854ab400c9b0ac82c43a2f44fa6970cd2975e7d28116a7740d

General

Target

1aeb3a19d439d8a4a00313d12f463827.exe
Size

989KB
MD5

1aeb3a19d439d8a4a00313d12f463827
SHA1

beedd7366e1ef168595d800ebe013067c78775de
SHA256

b0e5fddc8448dc854ab400c9b0ac82c43a2f44fa6970cd2975e7d28116a7740d
SHA512

074c2316d385feb4c78e6068a8fbf37d570bb9ee87a69b76bc3878a1b18eb9f97ca6511709008dcc60158d0dc81395adaed5e309d0266ed7713e7e5e4e442422
SSDEEP

24576:liG03BDYmHDQKcdE2v4jtaUN4cDHZgboRxRprGE:oJYuHTI4jJJObkf

Score

10^/10

hijackloader stealc night26 loader stealer

Malware Config

Extracted

Family

stealc

Botnet

night26

C2

http://188.130.207.35

Attributes

url_path
/0b92e7ab19e861f9.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral2/memory/1900-5-0x0000000140000000-0x0000000140112000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Deletes itself 1 IoCs

pid	Process
4440	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 4440	1900	1aeb3a19d439d8a4a00313d12f463827.exe	80

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4904	2840	WerFault.exe	82

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1900	1aeb3a19d439d8a4a00313d12f463827.exe
1900	1aeb3a19d439d8a4a00313d12f463827.exe
4440	cmd.exe
4440	cmd.exe
2840	explorer.exe
2840	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1900	1aeb3a19d439d8a4a00313d12f463827.exe
4440	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4440	1900	1aeb3a19d439d8a4a00313d12f463827.exe	80
PID 1900 wrote to memory of 4440	1900	1aeb3a19d439d8a4a00313d12f463827.exe	80
PID 1900 wrote to memory of 4440	1900	1aeb3a19d439d8a4a00313d12f463827.exe	80
PID 1900 wrote to memory of 4440	1900	1aeb3a19d439d8a4a00313d12f463827.exe	80
PID 4440 wrote to memory of 2840	4440	cmd.exe	82
PID 4440 wrote to memory of 2840	4440	cmd.exe	82
PID 4440 wrote to memory of 2840	4440	cmd.exe	82
PID 4440 wrote to memory of 2840	4440	cmd.exe	82
PID 4440 wrote to memory of 2840	4440	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\1aeb3a19d439d8a4a00313d12f463827.exe
"C:\Users\Admin\AppData\Local\Temp\1aeb3a19d439d8a4a00313d12f463827.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 868
      4⤵
      Program crash
      PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2840 -ip 2840
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ac9382b1

Filesize
870KB

MD5
a7d2715640007113c4449d8e920c9a4f

SHA1
b670ccae58b3ef39b36654a2ad264bc440f0583f

SHA256
f9f840d62fc4f505b91cb9ffddd8f04a11e0df8a3f5bf57512d5e0df71f91538

SHA512
67c98adae1a5a6fdd26ee1db853248268621030e1ae2d499f8a400cf8dcece49c4df39510d5c70b872a87cf9d760f6b9b394ee3581655747031a63f9ac55f9bb

Download Submit
C:\Users\Admin\AppData\Roaming\NewFileTime\NewFileTime.ini

Filesize
25B

MD5
71bfa4b1b2a2049befa50a86463a014f

SHA1
8ca6218c1f92b40da01501e18786cc2724e4c769

SHA256
a4683279940ca2ea6c25b63f07f41d7e2eab4ac3246ff57c8c771e7c923abd29

SHA512
574ccbc6a9387eed4e74af3e06a5023db1f74e24a8a9f3e9a96bee77483c3e5da257df4ff7976f7e389f51ec9ca89c56b103186fe499f5f3839738cafe657735

Download Submit
memory/1900-5-0x0000000140000000-0x0000000140112000-memory.dmp

Filesize
1.1MB

Download
memory/1900-6-0x00007FFCDAA70000-0x00007FFCDABE2000-memory.dmp

Filesize
1.4MB

Download
memory/1900-7-0x00007FFCDAA88000-0x00007FFCDAA89000-memory.dmp

Filesize
4KB

Download
memory/1900-8-0x00007FFCDAA70000-0x00007FFCDABE2000-memory.dmp

Filesize
1.4MB

Download
memory/1900-9-0x00007FFCDAA70000-0x00007FFCDABE2000-memory.dmp

Filesize
1.4MB

Download
memory/2840-24-0x0000000000483000-0x000000000048B000-memory.dmp

Filesize
32KB

Download
memory/2840-26-0x0000000000C00000-0x0000000000E3D000-memory.dmp

Filesize
2.2MB

Download
memory/2840-30-0x0000000000C00000-0x0000000000E3D000-memory.dmp

Filesize
2.2MB

Download
memory/2840-29-0x0000000000C00000-0x0000000000E3D000-memory.dmp

Filesize
2.2MB

Download
memory/2840-28-0x0000000000C00000-0x0000000000E3D000-memory.dmp

Filesize
2.2MB

Download
memory/2840-18-0x0000000000C00000-0x0000000000E3D000-memory.dmp

Filesize
2.2MB

Download
memory/2840-19-0x00007FFCE9970000-0x00007FFCE9B65000-memory.dmp

Filesize
2.0MB

Download
memory/2840-20-0x0000000000C00000-0x0000000000E3D000-memory.dmp

Filesize
2.2MB

Download
memory/2840-27-0x0000000000C00000-0x0000000000E3D000-memory.dmp

Filesize
2.2MB

Download
memory/2840-25-0x00000000003A0000-0x00000000007D3000-memory.dmp

Filesize
4.2MB

Download
memory/4440-14-0x0000000074FDE000-0x0000000074FE0000-memory.dmp

Filesize
8KB

Download
memory/4440-23-0x0000000074FDE000-0x0000000074FE0000-memory.dmp

Filesize
8KB

Download
memory/4440-12-0x00007FFCE9970000-0x00007FFCE9B65000-memory.dmp

Filesize
2.0MB

Download
memory/4440-17-0x0000000074FD0000-0x000000007514B000-memory.dmp

Filesize
1.5MB

Download
memory/4440-15-0x0000000074FD0000-0x000000007514B000-memory.dmp

Filesize
1.5MB

Download
memory/4440-13-0x0000000074FD0000-0x000000007514B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing