hijackloader | 039b95904c2dacfb2fd0798010837023349478dbbb9f70bf52a2f79e4735b5b4

General

Target

snss2.bin.exe
Size

7.4MB
MD5

afea68327bd3cb05fea2420848065499
SHA1

e057f60b9e54b139e2fdbc63b141533c4946c8d5
SHA256

039b95904c2dacfb2fd0798010837023349478dbbb9f70bf52a2f79e4735b5b4
SHA512

be1c174bdbff87c38299c880ac93d4959d8048817439511bec59c281f9f1f773d501017cc52963da82ce8941eecd2cf002ed44dc34e3bd4e7ba6b8eec50c9dbb
SSDEEP

98304:fiMrdaUIJ3sxQvmzLvqwBOZTcjgxffDjqJbzEwPgo3dkvmnXX:Ki68xQ+zLJOZwjgZ7Utc2X

Score

10^/10

hijackloader rhadamanthys discovery loader stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://176.124.198.186:443/e0bd9c1f4515facb49/tcg5blro.3wf1o

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/2480-1-0x0000000000400000-0x0000000000BFC000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Deletes itself 1 IoCs

pid	Process
2724	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2480 set thread context of 2724	2480	snss2.bin.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss2.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2480	snss2.bin.exe
2480	snss2.bin.exe
2724	cmd.exe
2724	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2480	snss2.bin.exe
2724	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2480	snss2.bin.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2724	2480	snss2.bin.exe	30
PID 2480 wrote to memory of 2724	2480	snss2.bin.exe	30
PID 2480 wrote to memory of 2724	2480	snss2.bin.exe	30
PID 2480 wrote to memory of 2724	2480	snss2.bin.exe	30
PID 2480 wrote to memory of 2724	2480	snss2.bin.exe	30
PID 2724 wrote to memory of 2652	2724	cmd.exe	32
PID 2724 wrote to memory of 2652	2724	cmd.exe	32
PID 2724 wrote to memory of 2652	2724	cmd.exe	32
PID 2724 wrote to memory of 2652	2724	cmd.exe	32
PID 2724 wrote to memory of 2652	2724	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\snss2.bin.exe
"C:\Users\Admin\AppData\Local\Temp\snss2.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fa20b49e

Filesize
1.1MB

MD5
3a77c3614588d929d8db9716192c277e

SHA1
fd61889c6beb0f187987c58118f98284a3be8c73

SHA256
488e66af419acb369fe9ca97cefae46419bb063f42cd52d251414a227c51ff4d

SHA512
6ae4b5a5ee17f7ad53532603a76f6ee8716f014c346753e265e2f0bfb501e2a7b4042bfc7abc7f7b4ac891b6db70b24808c83b355d000d841bc487b0aa660bb8

Download Submit
memory/2480-6-0x0000000074D60000-0x0000000074ED4000-memory.dmp

Filesize
1.5MB

Download
memory/2480-2-0x0000000074D60000-0x0000000074ED4000-memory.dmp

Filesize
1.5MB

Download
memory/2480-3-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/2480-5-0x0000000074D60000-0x0000000074ED4000-memory.dmp

Filesize
1.5MB

Download
memory/2480-4-0x0000000074D73000-0x0000000074D75000-memory.dmp

Filesize
8KB

Download
memory/2480-1-0x0000000000400000-0x0000000000BFC000-memory.dmp

Filesize
8.0MB

Download
memory/2480-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2652-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-20-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2652-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2652-17-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/2724-9-0x0000000074D60000-0x0000000074ED4000-memory.dmp

Filesize
1.5MB

Download
memory/2724-15-0x0000000074D60000-0x0000000074ED4000-memory.dmp

Filesize
1.5MB

Download
memory/2724-13-0x0000000074D60000-0x0000000074ED4000-memory.dmp

Filesize
1.5MB

Download
memory/2724-12-0x0000000074D60000-0x0000000074ED4000-memory.dmp

Filesize
1.5MB

Download
memory/2724-11-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing