hijackloader | d69a93df6cab86b34c970896181bb1b618317e29ca8b5586364256a1d02b7cca

General

Target

E036A20D879B669BF96F17A6F17F4C4D.exe
Size

3.5MB
MD5

e036a20d879b669bf96f17a6f17f4c4d
SHA1

95eaeb5d63da9766590e2b3c38fc98b46eb321b0
SHA256

d69a93df6cab86b34c970896181bb1b618317e29ca8b5586364256a1d02b7cca
SHA512

ab8aa5d6768c39b5880a2726e4b75e69f2007726debfaa3e6b3f94fcf72b8ce449c58a043d3020fe4fc4d4fc00782d3003c2f3b10f854fb8cad67c406aa185e7
SSDEEP

49152:Bw38SMypl3oScZUU1a4TutGP25RE7qD6yA8u8UZRUb4kig8tldrv+:qsfe3WUUI3h5RyqDTAH8UMboI

Score

10^/10

hijackloader stealc meowsterioland1 loader stealer

Malware Config

Extracted

Family

stealc

Botnet

meowsterioland1

C2

http://46.8.238.240

Attributes

url_path
/201a735ed890db75.php

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4968-0-0x0000000000AC0000-0x0000000000E4D000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2548 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

E036A20D879B669BF96F17A6F17F4C4D.exe

description pid process target process

PID 4968 set thread context of 2548 4968 E036A20D879B669BF96F17A6F17F4C4D.exe cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2540 3280 WerFault.exe explorer.exe

pid	process
2548	cmd.exe

description	pid	process	target process
PID 4968 set thread context of 2548	4968	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe

pid	pid_target	process	target process
2540	3280	WerFault.exe	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

E036A20D879B669BF96F17A6F17F4C4D.execmd.exeexplorer.exe

pid process

4968 E036A20D879B669BF96F17A6F17F4C4D.exe
4968 E036A20D879B669BF96F17A6F17F4C4D.exe
2548 cmd.exe
2548 cmd.exe
3280 explorer.exe
3280 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

E036A20D879B669BF96F17A6F17F4C4D.execmd.exe

pid process

4968 E036A20D879B669BF96F17A6F17F4C4D.exe
2548 cmd.exe

pid	process
4968	E036A20D879B669BF96F17A6F17F4C4D.exe
4968	E036A20D879B669BF96F17A6F17F4C4D.exe
2548	cmd.exe
2548	cmd.exe
3280	explorer.exe
3280	explorer.exe

pid	process
4968	E036A20D879B669BF96F17A6F17F4C4D.exe
2548	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

E036A20D879B669BF96F17A6F17F4C4D.execmd.exe

description	pid	process	target process
PID 4968 wrote to memory of 2548	4968	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe
PID 4968 wrote to memory of 2548	4968	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe
PID 4968 wrote to memory of 2548	4968	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe
PID 4968 wrote to memory of 2548	4968	E036A20D879B669BF96F17A6F17F4C4D.exe	cmd.exe
PID 2548 wrote to memory of 3280	2548	cmd.exe	explorer.exe
PID 2548 wrote to memory of 3280	2548	cmd.exe	explorer.exe
PID 2548 wrote to memory of 3280	2548	cmd.exe	explorer.exe
PID 2548 wrote to memory of 3280	2548	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\E036A20D879B669BF96F17A6F17F4C4D.exe
"C:\Users\Admin\AppData\Local\Temp\E036A20D879B669BF96F17A6F17F4C4D.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1376
4⤵
- Program crash
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3280 -ip 3280
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7931a456

Filesize
871KB

MD5
b5042fc30eb122d55967654f2c1ad14a

SHA1
62d3d97bcfe04986b483c673400f9662bbddbc8e

SHA256
205b477863c893fe0ecbea8bc0e219e68d0105c59c66914a21f6774340806518

SHA512
d1adf3784e33a0a7520cc22309554eb632eb2254af31190a940e8f9f60e7ef2a5d7a2526959e83f5b747aa4d3abc390002b7ee6af62f83ef18558c9edff1142b

Download Submit
memory/2548-7-0x00000000751D0000-0x000000007534B000-memory.dmp

Filesize
1.5MB

Download
memory/2548-13-0x00000000751D0000-0x000000007534B000-memory.dmp

Filesize
1.5MB

Download
memory/2548-11-0x00000000751D0000-0x000000007534B000-memory.dmp

Filesize
1.5MB

Download
memory/2548-10-0x00000000751D0000-0x000000007534B000-memory.dmp

Filesize
1.5MB

Download
memory/2548-9-0x00007FF96A210000-0x00007FF96A405000-memory.dmp

Filesize
2.0MB

Download
memory/3280-14-0x0000000000170000-0x00000000003AE000-memory.dmp

Filesize
2.2MB

Download
memory/3280-15-0x00007FF96A210000-0x00007FF96A405000-memory.dmp

Filesize
2.0MB

Download
memory/3280-16-0x0000000000170000-0x00000000003AE000-memory.dmp

Filesize
2.2MB

Download
memory/3280-18-0x0000000000ED3000-0x0000000000EDB000-memory.dmp

Filesize
32KB

Download
memory/3280-19-0x0000000000DF0000-0x0000000001223000-memory.dmp

Filesize
4.2MB

Download
memory/3280-21-0x0000000000170000-0x00000000003AE000-memory.dmp

Filesize
2.2MB

Download
memory/4968-5-0x00000000751D0000-0x000000007534B000-memory.dmp

Filesize
1.5MB

Download
memory/4968-4-0x00000000751D0000-0x000000007534B000-memory.dmp

Filesize
1.5MB

Download
memory/4968-3-0x00000000751E2000-0x00000000751E4000-memory.dmp

Filesize
8KB

Download
memory/4968-2-0x00007FF96A210000-0x00007FF96A405000-memory.dmp

Filesize
2.0MB

Download
memory/4968-1-0x00000000751D0000-0x000000007534B000-memory.dmp

Filesize
1.5MB

Download
memory/4968-0-0x0000000000AC0000-0x0000000000E4D000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads