2024-08-08_f51d19c6d042d5cd88c8b3cad394a176_hijackloader_magniber_revil

Sharing

Copy URL Twitter E-mail

General

Target

2024-08-08_f51d19c6d042d5cd88c8b3cad394a176_hijackloader_magniber_revil
Size

13.9MB
MD5

f51d19c6d042d5cd88c8b3cad394a176
SHA1

61db95fb2c34308508caddd896554ac9d92bb08d
SHA256

76bf80c848a5ce661e48995a996917cad6e62128e9b14488cdd98943053fad44
SHA512

f10c51efa2accf135fd722803c97b31462bd84864c14f4db06ef57916cf5eff88d870ecaef1987bbec5492536da5e332803e8dd9224ccf51075c4ae5c4045ac5
SSDEEP

393216:GATruQtitiUBejX7I4x04SmPmzRq0fNHNb:bTruvtxBms4f1Pvu

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Files

2024-08-08_f51d19c6d042d5cd88c8b3cad394a176_hijackloader_magniber_revil
.exe windows:6 windows x86 arch:x86

5656461d542d0c59f2eb13b13938a96a

Code Sign

0b:ab:85:69:09:c1:5a:b3:0f:22:85:ae:d9:4c:8c:37
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

16/10/2023, 00:00

Not After

04/12/2026, 23:59

Subject

CN=Rapid7 LLC,O=Rapid7 LLC,L=Boston,ST=Massachusetts,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2013, 12:00

Not After

15/01/2038, 12:00

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

8c:60:50:7b:1f:85:e9:cc:a3:c3:0e:44:ab:d8:bd:b9:fa:4b:d8:f9:f6:44:3a:32:39:22:ac:7c:5d:d5:3b:54
Signer

Actual PE Digest

8c:60:50:7b:1f:85:e9:cc:a3:c3:0e:44:ab:d8:bd:b9:fa:4b:d8:f9:f6:44:3a:32:39:22:ac:7c:5d:d5:3b:54

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\git\Bin\Armor\exec\Win32\Release\MinervaTransientAgent32.pdb

Imports

kernel32

AcquireSRWLockShared
GetSystemDirectoryA
LoadLibraryA
ReleaseSRWLockShared
SwitchToFiber
DeleteFiber
CreateFiberEx
ConvertFiberToThread
ConvertThreadToFiberEx
ReleaseSemaphore
CreateSemaphoreA
SetConsoleMode
ReadConsoleA
InitOnceComplete
InitOnceBeginInitialize
GetFileInformationByHandle
SetFileTime
SetNamedPipeHandleState
WaitNamedPipeW
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
GetExitCodeProcess
MoveFileW
FormatMessageA
CreateDirectoryA
CopyFileW
GetCurrentProcessId
MoveFileExW
LocalFree
FindResourceW
CloseHandle
DeleteFileW
SetEvent
GetLastError
CreateEventW
OpenProcess
GetCurrentThreadId
CreateFileW
WaitForSingleObject
WaitForMultipleObjects
GetModuleFileNameW
RemoveDirectoryW
TerminateProcess
WriteConsoleW
QueryPerformanceCounter
QueryPerformanceFrequency
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
TryEnterCriticalSection
DeleteCriticalSection
WaitForSingleObjectEx
Sleep
GetExitCodeThread
GetNativeSystemInfo
WideCharToMultiByte
MultiByteToWideChar
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
GetSystemTimeAsFileTime
FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetCurrentProcess
GetModuleHandleW
GetProcAddress
EncodePointer
DecodePointer
LCMapStringEx
GetStringTypeW
CompareStringEx
GetCPInfo
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
GetStdHandle
WriteConsoleA
WriteFile
GetConsoleMode
GetFileAttributesA
MoveFileA
TerminateThread
DeleteFileA
RaiseException
CreateThread
FreeLibrary
VirtualFreeEx
GetEnvironmentVariableA
LoadLibraryW
K32GetModuleFileNameExW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
CancelIo
DeviceIoControl
GetOverlappedResult
ResetEvent
ReadFile
SetInformationJobObject
SetWaitableTimer
TlsSetValue
SetLastError
CreateWaitableTimerW
AssignProcessToJobObject
CreateNamedPipeW
CreateJobObjectW
InitializeCriticalSectionAndSpinCount
GetQueuedCompletionStatus
GetEnvironmentVariableW
ResumeThread
GetModuleHandleA
PostQueuedCompletionStatus
TlsAlloc
QueueUserAPC
VerSetConditionMask
CreateProcessW
SleepEx
VerifyVersionInfoW
TlsGetValue
TlsFree
CreateIoCompletionPort
CompareFileTime
FindFirstFileW
FindNextFileW
FindClose
GetNamedPipeClientProcessId
DuplicateHandle
FlushFileBuffers
DisconnectNamedPipe
ConnectNamedPipe
HeapFree
GetLongPathNameW
GetTempPathW
GetSystemDirectoryW
FreeEnvironmentStringsW
GetSystemWow64DirectoryW
FormatMessageW
HeapAlloc
GetProcessHeap
GetSystemWindowsDirectoryW
GetEnvironmentStringsW
QueryDosDeviceW
GetFileAttributesW
K32GetProcessImageFileNameW
GetLogicalDriveStringsW
CreateDirectoryW
GetFullPathNameW
GetFileAttributesExW
GetFileTime
SizeofResource
LockResource
LoadResource
GetComputerNameExW
SetHandleInformation
CreatePipe
GetModuleHandleExW
K32EnumProcesses
GetCurrentDirectoryW
ReadProcessMemory
K32EnumProcessModules
GetProcessTimes
UnmapViewOfFile
HeapSize
HeapReAlloc
CreateFileMappingW
MapViewOfFile
TzSpecificLocalTimeToSystemTime
FileTimeToSystemTime
GetLocalTime
SystemTimeToFileTime
GetSystemTime
GetFileSizeEx
SetFilePointerEx
CreateTimerQueueTimer
DeleteTimerQueueTimer
InitializeCriticalSection
GetProcessId
WriteProcessMemory
VirtualAllocEx
CreateRemoteThread
GlobalFree
LocalAlloc
GetMailslotInfo
CreateMailslotW
GetVolumeInformationW
GetDriveTypeW
VirtualQueryEx
VirtualProtectEx
ExitProcess
VirtualFree
SetEnvironmentVariableW
LoadLibraryExW
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
OutputDebugStringW
RtlUnwind
InterlockedPushEntrySList
ExitThread
FreeLibraryAndExitThread
SetStdHandle
GetFileType
SetConsoleCtrlHandler
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetTimeZoneInformation
GetConsoleOutputCP
ReadConsoleW
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
SetEndOfFile
GetCommandLineW

user32

SetWindowDisplayAffinity
CopyRect
DispatchMessageW
OffsetRect
LoadStringW
TrackPopupMenu
RegisterClassExW
CreatePopupMenu
IsDlgButtonChecked
SendMessageW
CreateWindowExW
GetMenuItemCount
MessageBoxW
EnumWindows
SetWindowPos
GetWindowRect
DefWindowProcW
GetMessageW
GetWindowThreadProcessId
DestroyMenu
SetFocus
TranslateMessage
LoadIconW
FindWindowW
SendDlgItemMessageW
GetProcessWindowStation
GetUserObjectInformationW
LoadCursorW
GetDlgItem
AppendMenuW
PostThreadMessageW
PostQuitMessage
DialogBoxParamW
SetForegroundWindow
GetCursorPos
EnableWindow
EndDialog

advapi32

CryptGenRandom
OpenServiceA
StartServiceW
ControlService
DeleteService
OpenSCManagerW
CloseServiceHandle
CreateServiceA
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegNotifyChangeKeyValue
ImpersonateNamedPipeClient
RevertToSelf
LsaNtStatusToWinError
LookupAccountSidW
AddAccessAllowedAceEx
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
InitializeAcl
InitializeSecurityDescriptor
CheckTokenMembership
GetFileSecurityW
CryptEnumProvidersW
CryptSignHashW
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
ReportEventW
RegisterEventSourceW
EnumServicesStatusExW
FreeSid
AddAce
ConvertStringSidToSidW
GetSecurityDescriptorControl
SetNamedSecurityInfoW
AllocateAndInitializeSid
RegQueryValueExA
EqualSid
GetAce
GetAclInformation
GetSecurityDescriptorDacl
SetSecurityDescriptorDacl
GetSecurityDescriptorSacl
RegEnumKeyExW
RegQueryInfoKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
CryptReleaseContext
CryptImportKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptVerifySignatureW
CryptAcquireContextW
GetTokenInformation
RegisterEventSourceA
GetLengthSid
OpenProcessToken
ReportEventA
IsValidSid
CopySid
DeregisterEventSource
OpenServiceW

shell32

ShellExecuteW
CommandLineToArgvW
SHGetFolderPathW
SHChangeNotify
Shell_NotifyIconW
SHCreateDirectoryExW

ole32

StringFromGUID2
CoUninitialize
CoCreateGuid
CoSetProxyBlanket
CoInitializeEx
CoCreateInstance

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

crypt32

CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertOpenStore
CryptUnprotectData
CertFindCertificateInStore
CryptMsgGetParam
CryptQueryObject
CertNameToStrW
CryptProtectData
CryptMsgClose
CertCloseStore
CertOpenSystemStoreW
CertFreeCertificateContext
CertEnumCertificatesInStore

ws2_32

bind
accept
inet_pton
send
shutdown
gethostbyaddr
getservbyport
getservbyname
recvfrom
sendto
recv
getnameinfo
__WSAFDIsSet
gethostbyname
inet_addr
WSAIoctl
closesocket
WSASend
select
inet_ntoa
WSACleanup
socket
WSAGetLastError
setsockopt
ioctlsocket
freeaddrinfo
htons
htonl
getsockopt
WSARecv
WSAAddressToStringW
connect
ntohs
getsockname
getpeername
WSAStartup
getaddrinfo
WSASocketW
WSASetLastError
listen
ntohl

shlwapi

PathIsRelativeW
PathAddExtensionA
PathFindOnPathW
ord437
PathIsDirectoryW
PathAddExtensionW

oleaut32

SafeArrayRedim
SafeArrayDestroy
VariantInit
SafeArrayGetUBound
SafeArrayUnlock
SafeArrayGetLBound
SysFreeString
SafeArrayCopy
SysStringByteLen
SafeArrayGetVartype
SysAllocStringByteLen
SysAllocString
SafeArrayLock
SafeArrayCreate
SysAllocStringLen
VariantClear

iphlpapi

GetIpAddrTable
GetBestInterface
GetTcpTable

secur32

LsaGetLogonSessionData
LsaFreeReturnBuffer
LsaEnumerateLogonSessions
GetComputerObjectNameW

userenv

GetProfilesDirectoryW
GetAllUsersProfileDirectoryW

wintrust

WTHelperGetProvSignerFromChain
WinVerifyTrust
WTHelperGetProvCertFromChain
WTHelperProvDataFromStateData

Sections

.text
Size: 4.9MB - Virtual size: 4.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 126KB - Virtual size: 150KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.detourc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7.5MB - Virtual size: 7.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 262KB - Virtual size: 261KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5656461d542d0c59f2eb13b13938a96a

Code Sign

0b:ab:85:69:09:c1:5a:b3:0f:22:85:ae:d9:4c:8c:37Certificate

Extended Key Usages

Key Usages

05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5cCertificate

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

8c:60:50:7b:1f:85:e9:cc:a3:c3:0e:44:ab:d8:bd:b9:fa:4b:d8:f9:f6:44:3a:32:39:22:ac:7c:5d:d5:3b:54Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

version

crypt32

ws2_32

shlwapi

oleaut32

iphlpapi

secur32

userenv

wintrust

Sections

.text Size: 4.9MB - Virtual size: 4.9MB

.rdata Size: 1.2MB - Virtual size: 1.2MB

.data Size: 126KB - Virtual size: 150KB

.detourc Size: 4KB - Virtual size: 4KB

.detourd Size: 512B - Virtual size: 12B

.rsrc Size: 7.5MB - Virtual size: 7.5MB

.reloc Size: 262KB - Virtual size: 261KB

0b:ab:85:69:09:c1:5a:b3:0f:22:85:ae:d9:4c:8c:37
Certificate

05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

8c:60:50:7b:1f:85:e9:cc:a3:c3:0e:44:ab:d8:bd:b9:fa:4b:d8:f9:f6:44:3a:32:39:22:ac:7c:5d:d5:3b:54
Signer

.text
Size: 4.9MB - Virtual size: 4.9MB

.rdata
Size: 1.2MB - Virtual size: 1.2MB

.data
Size: 126KB - Virtual size: 150KB

.detourc
Size: 4KB - Virtual size: 4KB

.detourd
Size: 512B - Virtual size: 12B

.rsrc
Size: 7.5MB - Virtual size: 7.5MB

.reloc
Size: 262KB - Virtual size: 261KB