hijackloader | d69a93df6cab86b34c970896181bb1b618317e29ca8b5586364256a1d02b7cca

General

Target

E036A20D879B669BF96F17A6F17F4C4D.exe
Size

3.5MB
MD5

e036a20d879b669bf96f17a6f17f4c4d
SHA1

95eaeb5d63da9766590e2b3c38fc98b46eb321b0
SHA256

d69a93df6cab86b34c970896181bb1b618317e29ca8b5586364256a1d02b7cca
SHA512

ab8aa5d6768c39b5880a2726e4b75e69f2007726debfaa3e6b3f94fcf72b8ce449c58a043d3020fe4fc4d4fc00782d3003c2f3b10f854fb8cad67c406aa185e7
SSDEEP

49152:Bw38SMypl3oScZUU1a4TutGP25RE7qD6yA8u8UZRUb4kig8tldrv+:qsfe3WUUI3h5RyqDTAH8UMboI

Score

10^/10

hijackloader stealc meowsterioland1 loader stealer

Malware Config

Extracted

Family

stealc

Botnet

meowsterioland1

C2

http://46.8.238.240

Attributes

url_path
/201a735ed890db75.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/1052-0-0x0000000000400000-0x000000000078D000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Deletes itself 1 IoCs

pid	Process
2284	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	3032	WerFault.exe	32

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1052	E036A20D879B669BF96F17A6F17F4C4D.exe
1052	E036A20D879B669BF96F17A6F17F4C4D.exe
2284	cmd.exe
2284	cmd.exe
3032	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1052	E036A20D879B669BF96F17A6F17F4C4D.exe
2284	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	30
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	30
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	30
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	30
PID 1052 wrote to memory of 2284	1052	E036A20D879B669BF96F17A6F17F4C4D.exe	30
PID 2284 wrote to memory of 3032	2284	cmd.exe	32
PID 2284 wrote to memory of 3032	2284	cmd.exe	32
PID 2284 wrote to memory of 3032	2284	cmd.exe	32
PID 2284 wrote to memory of 3032	2284	cmd.exe	32
PID 2284 wrote to memory of 3032	2284	cmd.exe	32
PID 3032 wrote to memory of 2736	3032	explorer.exe	33
PID 3032 wrote to memory of 2736	3032	explorer.exe	33
PID 3032 wrote to memory of 2736	3032	explorer.exe	33
PID 3032 wrote to memory of 2736	3032	explorer.exe	33
PID 2284 wrote to memory of 3032	2284	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\E036A20D879B669BF96F17A6F17F4C4D.exe
"C:\Users\Admin\AppData\Local\Temp\E036A20D879B669BF96F17A6F17F4C4D.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 840
      4⤵
      Program crash
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5c2c06a

Filesize
871KB

MD5
6bf9b3c6d3ff952548fdafe58683b97e

SHA1
e04c0250506e730ea98904297ebe66c8d6cffb79

SHA256
863609d9c492b3833f0a19042f6f4fc1806e891e7964a12048a461332a1fc779

SHA512
6761e41972e09f4c953a8c063b7163e3bc66bb335087b1f73925e1405904dcad6d615e12f98b7260aef01246a41b2f091918afa5a6c0ecdc3228aabe97920951

Download Submit
memory/1052-0-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/1052-2-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/1052-4-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/1052-3-0x0000000075082000-0x0000000075084000-memory.dmp

Filesize
8KB

Download
memory/1052-1-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/1052-5-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/2284-9-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2284-8-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/2284-10-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/2284-11-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/2284-13-0x0000000075070000-0x00000000751E4000-memory.dmp

Filesize
1.5MB

Download
memory/3032-14-0x0000000000590000-0x00000000007CE000-memory.dmp

Filesize
2.2MB

Download
memory/3032-15-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/3032-16-0x0000000000590000-0x00000000007CE000-memory.dmp

Filesize
2.2MB

Download
memory/3032-21-0x0000000000100000-0x0000000000381000-memory.dmp

Filesize
2.5MB

Download
memory/3032-19-0x0000000000590000-0x00000000007CE000-memory.dmp

Filesize
2.2MB

Download
memory/3032-20-0x0000000000130000-0x0000000000138000-memory.dmp

Filesize
32KB

Download
memory/3032-23-0x0000000000590000-0x00000000007CE000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing