hijackloader | 34d49930f1d8677a454ffa94b73ecc9d849a449fef1f962ab9c016a9f692c9b7

Analysis

max time kernel
134s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wasper Setup/WasperApp.exe
Size

305KB
MD5

7ca72d437db41745f139d1228b8d95e1
SHA1

810a931dec45e63d8d24448d44b1bb645a71047c
SHA256

dbb99b36387720cd0b997359da33ecdaab55cb68cf9643b34d9d6bc136a3805b
SHA512

9e3e10ac4b96191cbde207b69d0c0412fe4f312da59359b66807e319d0529c9851213d7ea2ffab6346343bf59dfe4288754e97d2b76b79f6171361dd4bd083e8
SSDEEP

3072:KefQZKfOC31VwyY9egNtfNjJvjmqqF7Hb/LMm5M4Dfq8TDZ:KDewyY9egLRePYm5re8T

Score

10^/10

hijackloader rhadamanthys stealc wasp2 credential_access discovery loader spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

wasp2

http://45.152.112.103

Attributes

url_path
/1cf3aa1810feeb67.php

Signatures

Detects HijackLoader (aka IDAT Loader) 4 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023701-3.dat	family_hijackloader
behavioral2/memory/1776-6-0x0000000000400000-0x0000000000582000-memory.dmp	family_hijackloader
behavioral2/files/0x0009000000023702-105.dat	family_hijackloader
behavioral2/memory/3108-106-0x0000000000B60000-0x000000000135C000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1480 created 3124	1480	explorer.exe	51

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1776	snss1.exe
3108	snss2.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	explorer.exe
2488	explorer.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 4972	1776	snss1.exe	95
PID 3108 set thread context of 3588	3108	snss2.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5088	timeout.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1776	snss1.exe
1776	snss1.exe
1776	snss1.exe
4972	cmd.exe
4972	cmd.exe
4972	cmd.exe
4972	cmd.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
2488	explorer.exe
3108	snss2.exe
3108	snss2.exe
3588	cmd.exe
3588	cmd.exe
1480	explorer.exe
1480	explorer.exe
1656	openwith.exe
1656	openwith.exe
1656	openwith.exe
1656	openwith.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1776	snss1.exe
4972	cmd.exe
3108	snss2.exe
3588	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2312	WasperApp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3108	snss2.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1776	2312	WasperApp.exe	93
PID 2312 wrote to memory of 1776	2312	WasperApp.exe	93
PID 2312 wrote to memory of 1776	2312	WasperApp.exe	93
PID 1776 wrote to memory of 4972	1776	snss1.exe	95
PID 1776 wrote to memory of 4972	1776	snss1.exe	95
PID 1776 wrote to memory of 4972	1776	snss1.exe	95
PID 1776 wrote to memory of 4972	1776	snss1.exe	95
PID 4972 wrote to memory of 2488	4972	cmd.exe	99
PID 4972 wrote to memory of 2488	4972	cmd.exe	99
PID 4972 wrote to memory of 2488	4972	cmd.exe	99
PID 4972 wrote to memory of 2488	4972	cmd.exe	99
PID 2488 wrote to memory of 2732	2488	explorer.exe	101
PID 2488 wrote to memory of 2732	2488	explorer.exe	101
PID 2488 wrote to memory of 2732	2488	explorer.exe	101
PID 2732 wrote to memory of 5088	2732	cmd.exe	103
PID 2732 wrote to memory of 5088	2732	cmd.exe	103
PID 2732 wrote to memory of 5088	2732	cmd.exe	103
PID 2312 wrote to memory of 3108	2312	WasperApp.exe	104
PID 2312 wrote to memory of 3108	2312	WasperApp.exe	104
PID 2312 wrote to memory of 3108	2312	WasperApp.exe	104
PID 3108 wrote to memory of 3588	3108	snss2.exe	105
PID 3108 wrote to memory of 3588	3108	snss2.exe	105
PID 3108 wrote to memory of 3588	3108	snss2.exe	105
PID 3108 wrote to memory of 3588	3108	snss2.exe	105
PID 3588 wrote to memory of 1480	3588	cmd.exe	107
PID 3588 wrote to memory of 1480	3588	cmd.exe	107
PID 3588 wrote to memory of 1480	3588	cmd.exe	107
PID 3588 wrote to memory of 1480	3588	cmd.exe	107
PID 1480 wrote to memory of 1656	1480	explorer.exe	108
PID 1480 wrote to memory of 1656	1480	explorer.exe	108
PID 1480 wrote to memory of 1656	1480	explorer.exe	108
PID 1480 wrote to memory of 1656	1480	explorer.exe	108
PID 1480 wrote to memory of 1656	1480	explorer.exe	108

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3124
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1656

C:\Users\Admin\AppData\Local\Temp\Wasper Setup\WasperApp.exe
"C:\Users\Admin\AppData\Local\Temp\Wasper Setup\WasperApp.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\e31c096e-021c-4868-b1c6-aaec941653e1\snss1.exe
  "C:\Users\Admin\AppData\Local\Temp\e31c096e-021c-4868-b1c6-aaec941653e1\snss1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5088
- C:\Users\Admin\AppData\Local\Temp\e31c096e-021c-4868-b1c6-aaec941653e1\snss2.exe
  "C:\Users\Admin\AppData\Local\Temp\e31c096e-021c-4868-b1c6-aaec941653e1\snss2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4236,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8
1⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=4188,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=2384 /prefetch:3
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Temp\51b55c7c

Filesize
1.1MB

MD5
a3302d5423f4a928b43c787f8665d4a2

SHA1
7c0ca5f107c6da973669baac28853d3d4f3a37dc

SHA256
68bad3edff028e37b1c15cfc84455b0a6151acdee9f4b4a03db935551bdc19d3

SHA512
371f8832b361c783b7b0a2f48b639f7e4a208b63b8b49142557b4661497f6ac794186332943916a34794f126ae9a848d23b4a5fefc362ea09050ba892e5019c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d26ee0f1

Filesize
907KB

MD5
83d99d7277abf823d95d445ddc86a27e

SHA1
3693e4c1ff1cf9f5e3ce177ee47ae631646f3a33

SHA256
d4d7a6ec297f097ebe5cd59bcfe660fa99e9976e70d0a633eb188e79daab3add

SHA512
54f7602649093a84c67a0590cc924a0010ea90e7ca37f190fcfdbdeb7e9427d185ae27d9dfaf3762b95ece50af7637754cc1bb135cd8bfec04934bcdeba6a176

Download Submit
C:\Users\Admin\AppData\Local\Temp\e31c096e-021c-4868-b1c6-aaec941653e1\snss1.exe

Filesize
1.5MB

MD5
37f39d42469f898a063f5cf9931aa5e8

SHA1
eae3937c7a5c4c7e31ed84da81dee9ac03b8885f

SHA256
770f6abaa4cfa395c46f7271d86553e5ebb21448a7cf38047df00535bd3463f2

SHA512
424d4e3b9246df4c3f4d79e9a3b7f1b8d7f78c6c5d39f13247fe657637a426d472a08c4bd9e71c787f384020f1b60dd8db9d85961c7f01fd6d0ac69505644bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\e31c096e-021c-4868-b1c6-aaec941653e1\snss2.exe

Filesize
7.4MB

MD5
afea68327bd3cb05fea2420848065499

SHA1
e057f60b9e54b139e2fdbc63b141533c4946c8d5

SHA256
039b95904c2dacfb2fd0798010837023349478dbbb9f70bf52a2f79e4735b5b4

SHA512
be1c174bdbff87c38299c880ac93d4959d8048817439511bec59c281f9f1f773d501017cc52963da82ce8941eecd2cf002ed44dc34e3bd4e7ba6b8eec50c9dbb

Download Submit
memory/1480-127-0x0000000001020000-0x000000000109F000-memory.dmp

Filesize
508KB

Download
memory/1480-122-0x00000000045F0000-0x00000000049F0000-memory.dmp

Filesize
4.0MB

Download
memory/1480-119-0x0000000001020000-0x000000000109F000-memory.dmp

Filesize
508KB

Download
memory/1480-118-0x00007FFFCE690000-0x00007FFFCE885000-memory.dmp

Filesize
2.0MB

Download
memory/1480-117-0x0000000001020000-0x000000000109F000-memory.dmp

Filesize
508KB

Download
memory/1480-125-0x0000000075880000-0x0000000075A95000-memory.dmp

Filesize
2.1MB

Download
memory/1480-121-0x00000000045F0000-0x00000000049F0000-memory.dmp

Filesize
4.0MB

Download
memory/1656-132-0x0000000075880000-0x0000000075A95000-memory.dmp

Filesize
2.1MB

Download
memory/1656-129-0x0000000002E50000-0x0000000003250000-memory.dmp

Filesize
4.0MB

Download
memory/1656-130-0x00007FFFCE690000-0x00007FFFCE885000-memory.dmp

Filesize
2.0MB

Download
memory/1656-126-0x0000000001240000-0x0000000001249000-memory.dmp

Filesize
36KB

Download
memory/1776-8-0x00007FFFCE690000-0x00007FFFCE885000-memory.dmp

Filesize
2.0MB

Download
memory/1776-6-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1776-7-0x0000000074670000-0x00000000747EB000-memory.dmp

Filesize
1.5MB

Download
memory/1776-11-0x0000000074670000-0x00000000747EB000-memory.dmp

Filesize
1.5MB

Download
memory/1776-5-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1776-10-0x0000000074670000-0x00000000747EB000-memory.dmp

Filesize
1.5MB

Download
memory/1776-9-0x0000000074683000-0x0000000074685000-memory.dmp

Filesize
8KB

Download
memory/2488-23-0x0000000000670000-0x00000000008B5000-memory.dmp

Filesize
2.3MB

Download
memory/2488-26-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2488-74-0x0000000000670000-0x00000000008B5000-memory.dmp

Filesize
2.3MB

Download
memory/2488-22-0x00007FFFCE690000-0x00007FFFCE885000-memory.dmp

Filesize
2.0MB

Download
memory/2488-21-0x0000000000670000-0x00000000008B5000-memory.dmp

Filesize
2.3MB

Download
memory/2488-98-0x0000000000670000-0x00000000008B5000-memory.dmp

Filesize
2.3MB

Download
memory/3108-109-0x00007FFFCE690000-0x00007FFFCE885000-memory.dmp

Filesize
2.0MB

Download
memory/3108-110-0x00000000742B0000-0x000000007442B000-memory.dmp

Filesize
1.5MB

Download
memory/3108-108-0x00000000742B0000-0x000000007442B000-memory.dmp

Filesize
1.5MB

Download
memory/3108-106-0x0000000000B60000-0x000000000135C000-memory.dmp

Filesize
8.0MB

Download
memory/3588-114-0x00007FFFCE690000-0x00007FFFCE885000-memory.dmp

Filesize
2.0MB

Download
memory/3588-115-0x00000000742B0000-0x000000007442B000-memory.dmp

Filesize
1.5MB

Download
memory/4972-20-0x0000000074670000-0x00000000747EB000-memory.dmp

Filesize
1.5MB

Download
memory/4972-18-0x0000000074670000-0x00000000747EB000-memory.dmp

Filesize
1.5MB

Download
memory/4972-17-0x0000000074670000-0x00000000747EB000-memory.dmp

Filesize
1.5MB

Download
memory/4972-16-0x00007FFFCE690000-0x00007FFFCE885000-memory.dmp

Filesize
2.0MB

Download
memory/4972-14-0x0000000074670000-0x00000000747EB000-memory.dmp

Filesize
1.5MB

Download