hijackloader | d69a93df6cab86b34c970896181bb1b618317e29ca8b5586364256a1d02b7cca

General

Target

E036A20D879B669BF96F17A6F17F4C4D.exe
Size

3.5MB
MD5

e036a20d879b669bf96f17a6f17f4c4d
SHA1

95eaeb5d63da9766590e2b3c38fc98b46eb321b0
SHA256

d69a93df6cab86b34c970896181bb1b618317e29ca8b5586364256a1d02b7cca
SHA512

ab8aa5d6768c39b5880a2726e4b75e69f2007726debfaa3e6b3f94fcf72b8ce449c58a043d3020fe4fc4d4fc00782d3003c2f3b10f854fb8cad67c406aa185e7
SSDEEP

49152:Bw38SMypl3oScZUU1a4TutGP25RE7qD6yA8u8UZRUb4kig8tldrv+:qsfe3WUUI3h5RyqDTAH8UMboI

Score

10^/10

hijackloader stealc meowsterioland1 loader stealer

Malware Config

Extracted

Family

stealc

Botnet

meowsterioland1

C2

http://46.8.238.240

Attributes

url_path
/201a735ed890db75.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1052-0-0x0000000000400000-0x000000000078D000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2284 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

E036A20D879B669BF96F17A6F17F4C4D.exe

description pid process target process

PID 1052 set thread context of 2284 1052 E036A20D879B669BF96F17A6F17F4C4D.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2736 3032 WerFault.exe explorer.exe

pid	process
2284	cmd.exe

description	pid	process	target process
PID 1052 set thread context of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe

pid	pid_target	process	target process
2736	3032	WerFault.exe	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

E036A20D879B669BF96F17A6F17F4C4D.execmd.exeexplorer.exe

pid process

1052 E036A20D879B669BF96F17A6F17F4C4D.exe
1052 E036A20D879B669BF96F17A6F17F4C4D.exe
2284 cmd.exe
2284 cmd.exe
3032 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

E036A20D879B669BF96F17A6F17F4C4D.execmd.exe

pid process

1052 E036A20D879B669BF96F17A6F17F4C4D.exe
2284 cmd.exe

pid	process
1052	E036A20D879B669BF96F17A6F17F4C4D.exe
1052	E036A20D879B669BF96F17A6F17F4C4D.exe
2284	cmd.exe
2284	cmd.exe
3032	explorer.exe

pid	process
1052	E036A20D879B669BF96F17A6F17F4C4D.exe
2284	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

E036A20D879B669BF96F17A6F17F4C4D.execmd.exeexplorer.exe

description	pid	process	target process
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe
PID 2284 wrote to memory of 3032	2284	cmd.exe	explorer.exe
PID 2284 wrote to memory of 3032	2284	cmd.exe	explorer.exe
PID 2284 wrote to memory of 3032	2284	cmd.exe	explorer.exe
PID 2284 wrote to memory of 3032	2284	cmd.exe	explorer.exe
PID 2284 wrote to memory of 3032	2284	cmd.exe	explorer.exe
PID 3032 wrote to memory of 2736	3032	explorer.exe	WerFault.exe
PID 3032 wrote to memory of 2736	3032	explorer.exe	WerFault.exe
PID 3032 wrote to memory of 2736	3032	explorer.exe	WerFault.exe
PID 3032 wrote to memory of 2736	3032	explorer.exe	WerFault.exe
PID 2284 wrote to memory of 3032	2284	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\E036A20D879B669BF96F17A6F17F4C4D.exe
"C:\Users\Admin\AppData\Local\Temp\E036A20D879B669BF96F17A6F17F4C4D.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 840
4⤵
- Program crash
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5c2c06a
Filesize
871KB

MD5
6bf9b3c6d3ff952548fdafe58683b97e

SHA1
e04c0250506e730ea98904297ebe66c8d6cffb79

SHA256
863609d9c492b3833f0a19042f6f4fc1806e891e7964a12048a461332a1fc779

SHA512
6761e41972e09f4c953a8c063b7163e3bc66bb335087b1f73925e1405904dcad6d615e12f98b7260aef01246a41b2f091918afa5a6c0ecdc3228aabe97920951

Download Submit
memory/1052-0-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/1052-2-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/1052-4-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/1052-3-0x0000000075082000-0x0000000075084000-memory.dmp

Filesize
8KB

Download
memory/1052-1-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/1052-5-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/2284-9-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2284-8-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/2284-10-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/2284-11-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/2284-13-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/3032-14-0x0000000000590000-0x00000000007CE000-memory.dmp

Filesize
2.2MB

Download
memory/3032-15-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/3032-16-0x0000000000590000-0x00000000007CE000-memory.dmp

Filesize
2.2MB

Download
memory/3032-21-0x0000000000100000-0x0000000000381000-memory.dmp

Filesize
2.5MB

Download
memory/3032-19-0x0000000000590000-0x00000000007CE000-memory.dmp

Filesize
2.2MB

Download
memory/3032-20-0x0000000000130000-0x0000000000138000-memory.dmp

Filesize
32KB

Download
memory/3032-23-0x0000000000590000-0x00000000007CE000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads