hijackloader | 05ebd4268b70248a93d4e8d3ba3d72d97b5f6aab30f31c6071d5a0aa9662962a | Triage

Submit
Reports

Overview

overview

Static

static

7

VDeck Setup.exe

windows7-x64

VDeck Setup.exe

windows10-2004-x64

Resubmissions

18-07-2024 15:19

240718-sp9b2avajq 10

18-07-2024 14:47

240718-r53zhswend 10

Sharing

General

Target

VDeck Setup.exe
Size

47.5MB
Sample

240718-sp9b2avajq
MD5

68b51a9f235e076aa40882d80bacd4fe
SHA1

a8657a2c84bfdaf46bd3dd9cda86628fbc06ad3d
SHA256

05ebd4268b70248a93d4e8d3ba3d72d97b5f6aab30f31c6071d5a0aa9662962a
SHA512

d6f49c28ca6e84e9f6b6c3a31ab207881b750bd2353c397a5764f9e3a5cb846de4e25e32c1fb2ac08f32bc98b6c16ff0d8b1beb11be9809b96d8908d4f0d43b2
SSDEEP

786432:qig9k278hTFtWECfoYhYnNVWffXt/a31YuLDAFExx4n9VVSGdukegYcXzU:qj/8hTFHCQYJcis8FiKcmukegYc4

Score

10^/10

hijackloader stealc cloregod15 discovery execution loader spyware stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

VDeck Setup.exe

Resource

win7-20240708-en

hijackloader discovery execution loader

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

VDeck Setup.exe

Resource

win10v2004-20240709-en

hijackloader stealc cloregod15 discovery execution loader spyware stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

stealc

Botnet

cloregod15

C2

http://89.105.201.161

Attributes

url_path
/a9dc094723a5e57c.php

Targets

- Target
  
  VDeck Setup.exe
- Size
  
  47.5MB
- MD5
  
  68b51a9f235e076aa40882d80bacd4fe
- SHA1
  
  a8657a2c84bfdaf46bd3dd9cda86628fbc06ad3d
- SHA256
  
  05ebd4268b70248a93d4e8d3ba3d72d97b5f6aab30f31c6071d5a0aa9662962a
- SHA512
  
  d6f49c28ca6e84e9f6b6c3a31ab207881b750bd2353c397a5764f9e3a5cb846de4e25e32c1fb2ac08f32bc98b6c16ff0d8b1beb11be9809b96d8908d4f0d43b2
- SSDEEP
  
  786432:qig9k278hTFtWECfoYhYnNVWffXt/a31YuLDAFExx4n9VVSGdukegYcXzU:qj/8hTFHCQYJcis8FiKcmukegYc4
Score

10^/10

hijackloader discovery execution loader stealc cloregod15 spyware stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

hijackloaderdiscoveryexecutionloader

behavioral2

hijackloaderstealccloregod15discoveryexecutionloaderspywarestealer

© 2018-2024

Terms | Privacy