hijackloader

Sharing

Copy URL

Twitter E-mail

General

Target

TidyMe.zip
Size

71.3MB
Sample

240708-nhvg3swfpq
MD5

d2136eef938dfcb645ca2524163b584e
SHA1

fa36bf38c20ef719996b63a85e35f79a3120d912
SHA256

479f024e77b53300da8dd0e0d0243dca32af5c1aefaa2f254127bc59f2901d93
SHA512

65ff0a484d2a42ab18ecb917d94c07e5934570a46202e7da3f82af6961b3149f33b079900794bd3e1c974ebb8235bed7ed2f54ddcc8a4489cfd41228461087e4
SSDEEP

1572864:6+PWbPoz0ZoBzCTaorbRx8CCIK+BQVcYVXP/RGvB5klUQTAO5n4D7h5pXk:4bnk1oXK1KQVcYVX6klU0Aqa7PZk

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

meowsterioland4

http://46.8.238.240

Attributes

url_path
/201a735ed890db75.php

Targets

- Target
  
  TidyMe.bin
- Size
  
  71.6MB
- MD5
  
  3bf79b657c35c672751d980213baaaf1
- SHA1
  
  4cf7d2d660110ab44fba2f564bcb3ce40b026807
- SHA256
  
  6b30a6026b7cc60a3cce4db9ae2461af86c3a0ec81d29c3397cfad69b7878754
- SHA512
  
  5442964091322e4ca8f3fbb327dab27647af3762cef0f2aaa8cab33ee0ceaa73f59ad2e5593bcdb48c49e5ed9027970f24cf0a0a4b90b8681ae76abe11f40757
- SSDEEP
  
  1572864:gePkJopD1LOyqK3yf555SMbDaanxGb8zL5VWtUYv6f87M+mTnMpcOqD:ge3pDkKQj5DmanxGSL5VWWhfmMBMpcDD
Score

10^/10

discovery hijackloader stealc meowsterioland4 loader stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/SpiderBanner.dll
- Size
  
  9KB
- MD5
  
  17309e33b596ba3a5693b4d3e85cf8d7
- SHA1
  
  7d361836cf53df42021c7f2b148aec9458818c01
- SHA256
  
  996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
- SHA512
  
  1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298
- SSDEEP
  
  192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY
Score

1^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/StdUtils.dll
- Size
  
  100KB
- MD5
  
  c6a6e03f77c313b267498515488c5740
- SHA1
  
  3d49fc2784b9450962ed6b82b46e9c3c957d7c15
- SHA256
  
  b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
- SHA512
  
  9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
- SSDEEP
  
  3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/app-64.7z
- Size
  
  70.7MB
- MD5
  
  3ffffd470f1dd6b44a52ae29a9bd105c
- SHA1
  
  dcabc58eb8c156c2b79053cc710e2a9b820c112d
- SHA256
  
  adc513c48cd959732f95a403b623a3e3103e82531be23c842a36b9cfc5966529
- SHA512
  
  0f35e0e012c0459623a262fb65cad470d23e04c23c5b9a29986f974bbab8b63048f2014b2049568a4deaa9a38531ee48700ba8eeeea0d64cef9cff6cee80a478
- SSDEEP
  
  1572864:zPkJopD1LOyqK3yf555SMbDaanxGb8zL5VWtUYv6f87M+mTnMpcOqG:z3pDkKQj5DmanxGSL5VWWhfmMBMpcDG
Score

3^/10
behavioral10 behavioral9
- Target
  
  LICENSE.electron.txt
- Size
  
  1KB
- MD5
  
  4d42118d35941e0f664dddbd83f633c5
- SHA1
  
  2b21ec5f20fe961d15f2b58efb1368e66d202e5c
- SHA256
  
  5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
- SHA512
  
  3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63
Score

1^/10
behavioral11 behavioral12
- Target
  
  LICENSES.chromium.html
- Size
  
  6.5MB
- MD5
  
  796505037e030807d9ddd01c93eb353b
- SHA1
  
  79a1eac3b505e6d94a6206d4a5198d3cc11ab038
- SHA256
  
  9f3f2b4d9bbd3113486839eca85de119fab766450cdca08a4574b80748885708
- SHA512
  
  9435273a4541a579a427a295be47af8b81133896f50c97bab1d8ab391089f90186a7fd057b53e8b74829e4747e98428d8b4d242eb6854b1304a94a2891c2fd11
- SSDEEP
  
  24576:8Pjy5WjWSpgDrAV8gmfwN6i6w6C6g6T+gH3BMbp0W:oJDN
Score

1^/10
behavioral13 behavioral14
- Target
  
  TidyMe.exe
- Size
  
  150.7MB
- MD5
  
  0771b3d0b51d227be62e2e61275cf43e
- SHA1
  
  005e0fca1a0712cc244a7c95e6e8e06b6df79ba5
- SHA256
  
  db3298bb7f3637c5fbbf9370cc5dafdde8f4f4e51c3377ded584cbb373a15e74
- SHA512
  
  bd3556ddb142f8fd066e4a6aa52849c980b7121d7746db97376804cbac937ff3e41807a02d65f92cd48098f2a1ffe6b9c23046d087128bdf62f3b5cf58360308
- SSDEEP
  
  1572864:PlAhthKM29V6LLWANUB9IinJn1cpGN4vM+JlhrZnQ9I4FdUrczKrk4Ze2OC2+:ktSD64Jnqrt5v2
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral15 behavioral16
- Target
  
  chrome_100_percent.pak
- Size
  
  126KB
- MD5
  
  d31f3439e2a3f7bee4ddd26f46a2b83f
- SHA1
  
  c5a26f86eb119ae364c5bf707bebed7e871fc214
- SHA256
  
  9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e
- SHA512
  
  aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5
- SSDEEP
  
  3072:5KzwqCT4waJL2myFhPNL2o418Gb0+VRLf0ld0GY3cQ39Vm2I:5Kzwt4LwmU3K18Gb0OV8ld0GecQ3f2
Score

3^/10
behavioral17 behavioral18
- Target
  
  chrome_200_percent.pak
- Size
  
  175KB
- MD5
  
  5604b67e3f03ab2741f910a250c91137
- SHA1
  
  a4bb15ac7914c22575f1051a29c448f215fe027f
- SHA256
  
  1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c
- SHA512
  
  5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d
- SSDEEP
  
  3072:+DQYaEQN6AJPRJL2myFhPNafR54x5GMR+F44ffbdZnYw9p4AbIVGYoDd+HxNK/r4:+DQYaNN68RwmU0gx5GMRejnbdZnVE6YR
Score

3^/10
behavioral19 behavioral20
- Target
  
  d3dcompiler_47.dll
- Size
  
  4.7MB
- MD5
  
  cb9807f6cf55ad799e920b7e0f97df99
- SHA1
  
  bb76012ded5acd103adad49436612d073d159b29
- SHA256
  
  5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a
- SHA512
  
  f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62
- SSDEEP
  
  49152:IuhjwXkKcimPVqB4faGCMhGNYYpQVTxx6k/ftO4w6FXKpOD21pLeXvZCoFwI8cc:oy904wYbZCoOI85oyI
Score

1^/10
behavioral21
- Target
  
  ffmpeg.dll
- Size
  
  2.6MB
- MD5
  
  00ffabbb9438a0da15a021451a9c2d0d
- SHA1
  
  4bb79fe2b09962c6c46b70d7dfb1f9d9604a22dc
- SHA256
  
  aad7e7ac9d74ac18892801950c9728e9c4eacd3b676cbb5d6f63382da2ce0559
- SHA512
  
  989d8d0afd3ce64c65a90d1046f28b19e5b125f8b5a565b76b8c950d152d3b9a57d68126888321c7cd8a4985249c1ec649c453e7501aaa4ff60d9662afd85f34
- SSDEEP
  
  49152:cqMAAYNDEmcTfAZMHkwfPYX6Edxhi1uGaVrFY7Q9b5hpN3lzl3hHLNoJX:cGDfRMHR8rFYU5hNA
Score

1^/10
behavioral22 behavioral23
- Target
  
  icudtl.dat
- Size
  
  10.0MB
- MD5
  
  76bef9b8bb32e1e54fe1054c97b84a10
- SHA1
  
  05dfea2a3afeda799ab01bb7fbce628cacd596f4
- SHA256
  
  97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3
- SHA512
  
  7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6
- SSDEEP
  
  196608:p5zwSv9AAyse6liXUxCGZHa93Whlw6ZCXU0:pyKlysTliXUxCGZHa93Whlw6ZCX1
Score

3^/10
behavioral24 behavioral25
- Target
  
  libEGL.dll
- Size
  
  473KB
- MD5
  
  ef4291ace01485ee773183ee3c1ed5c4
- SHA1
  
  9c9d32813a733ebceb25c0dbb9f85ef27f6e0a0f
- SHA256
  
  85f238fb7ace3cbdf7c29c72b01307c440f13491b07a509cbc5b9f257a637164
- SHA512
  
  a98bfe1845a712943687f0b20d1904bae1b6836ea37f8a2053872f938dceb2f391fadd3db034c0b8563c0b1ab3d4506d13b613ed51780ef10e813c085c830f82
- SSDEEP
  
  6144:VTv0fq4dz9B4x4w/jvtGW9ZST3BypG48yOnb4pgsHVlAYnReZRO8:VTN4dNw/jvtGW9c3BypaagYnKRO
Score

1^/10
behavioral26 behavioral27
- Target
  
  libGLESv2.dll
- Size
  
  7.2MB
- MD5
  
  60e42e83b260582fc96aaf43293d99e1
- SHA1
  
  c548a10873f9a57e18c7fbb1fe89685f4cf1ba84
- SHA256
  
  25d49934fc220b169cadeb21fc99dc2a8fb1dd5a4f244265799392f0f5f2f8f8
- SHA512
  
  6a905e2b9427fb6e4a53080afdc2ae9dc32c54aab5460f88f7d3fd16e7e9a841d332057f58942d54defe91361a54d3cbedba295399cead754f353f80f92f238b
- SSDEEP
  
  49152:Rs95E5fqF3q/xEpLJgw7yQj1+lSWsucneTA4fwEmN428bbvbgNqay6q/iyGtxJe5:2lq3ZieHhogDbBztUecv7r7frgsOMG
Score

1^/10
behavioral28 behavioral29
- Target
  
  locales/af.pak
- Size
  
  340KB
- MD5
  
  198092a7a82efced4d59715bd3e41703
- SHA1
  
  ac3cdfba133330fce825816b2f9579ac240dc176
- SHA256
  
  d63222c4a20fa9741f5262634cf9751f22fbb4fcd9d3138d7c8d49e0efb57fba
- SHA512
  
  590dcc02bc3411fa585321a09f2033ca1839dd67b083622be412d60683c2c086aac81a27bc56029101f6158515cc6ae4def39d3f246b7499b30d02690904af0d
- SSDEEP
  
  6144:ptbDrUln/WiOvz9P5D4uEmv0XPjC6nAcbaK6pgwwexhsVxS42K6tA3pU5tpwDw44:ptfOOiOvzg/mCPjC6nAcbipgwwePSS4C
Score

3^/10
behavioral30 behavioral31
- Target
  
  locales/am.pak
- Size
  
  551KB
- MD5
  
  952933d2d388683c91ee7eaa7539e625
- SHA1
  
  7a0f5a10d7d61c32577c0d027db8c66c27e56c7d
- SHA256
  
  55357baf28716a73f79ac9a6af1ae63972eb79f93c415715518027fc5c528504
- SHA512
  
  5aa5ef0ed1da98b36840389e694dc5dcef496524314b61603d0c5ee03a663bb4c753623fb400792754b51331df20ac6d9cf97c183922f19fc0072822688f988d
- SSDEEP
  
  12288:WcWln6HuPPL8xJTgWHsEaYM5g9yaAVmHukPQyx30jH8+I:WR6YL8xOWHbaYM5g9yaAVmvPQ+
Score

3^/10
behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects HijackLoader (aka IDAT Loader)

Stealc

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Checks computer location settings

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32