General
-
Target
http://runeonlineworld.io
-
Sample
240818-nsgzqssbpd
Score
10/10
Malware Config
Extracted
Family
stealc
Botnet
voidwalker14
C2
http://89.105.198.203
Attributes
-
url_path
/01f0f648c0c07354.php
Targets
-
-
Target
http://runeonlineworld.io
Score10/10-
Detects HijackLoader (aka IDAT Loader)
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Stealc
Stealc is an infostealer written in C++.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2