hijackloader | b4c0c782d222e4d6f12f880cc36adaeb85fc6e1c0dbbbda94483ca441b386c32 | Triage

Submit
Reports

Overview

overview

Static

static

1

4013211626.html

windows10-2004-x64

Sharing

General

Target

4013211626
Size

9KB
Sample

240721-scrw8atfpe
MD5

2dc87ce29e5569453880ebfb036c6dca
SHA1

7e0ca6b568ae925949da6992e89d9081c80adf38
SHA256

b4c0c782d222e4d6f12f880cc36adaeb85fc6e1c0dbbbda94483ca441b386c32
SHA512

37e8a05f543577846977c7d4d4f77e08d5184099f65cb7c964a1afb711789c06d92bff12491ba45e3331157ddc29626e3878d3eb986ab7e05fc679f2dd25911d
SSDEEP

192:rJHP+ws7Ai7A1+FK9fvfjvJcjdYj8exLj1ElCBtV+fXbCSZnw5:pP+wskik1+F+saNOZo

Score

10^/10

hijackloader stealc doralands20 discovery execution loader stealer

Static task

static1

Behavioral task

behavioral1

Sample

4013211626.html

Resource

win10v2004-20240709-en

hijackloader stealc doralands20 discovery execution loader stealer

windows10-2004-x64

25 signatures

600 seconds

Malware Config

Extracted

Family

stealc

Botnet

doralands20

C2

http://188.130.207.115

Attributes

url_path
/8b4c5bd1ddc1cb18.php

Targets

- Target
  
  4013211626
- Size
  
  9KB
- MD5
  
  2dc87ce29e5569453880ebfb036c6dca
- SHA1
  
  7e0ca6b568ae925949da6992e89d9081c80adf38
- SHA256
  
  b4c0c782d222e4d6f12f880cc36adaeb85fc6e1c0dbbbda94483ca441b386c32
- SHA512
  
  37e8a05f543577846977c7d4d4f77e08d5184099f65cb7c964a1afb711789c06d92bff12491ba45e3331157ddc29626e3878d3eb986ab7e05fc679f2dd25911d
- SSDEEP
  
  192:rJHP+ws7Ai7A1+FK9fvfjvJcjdYj8exLj1ElCBtV+fXbCSZnw5:pP+wskik1+F+saNOZo
Score

10^/10

hijackloader stealc doralands20 discovery execution loader stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

hijackloaderstealcdoralands20discoveryexecutionloaderstealer

© 2018-2024

Terms | Privacy