hijackloader | eabcd20c183903046a1d28b72a6178da24879d8057594334ce300bc969c7e23d

General

Target

0024f2af21d239ce45c14ce295b28ac2.exe
Size

11.1MB
MD5

0024f2af21d239ce45c14ce295b28ac2
SHA1

51c27e4c16ef9b68874ced062d29e357a380d25b
SHA256

eabcd20c183903046a1d28b72a6178da24879d8057594334ce300bc969c7e23d
SHA512

741edd582ce34c352c6965cc4487408b18e63e2fb0bb5ae8c103de5c02e56cb22fa80c83d3b69b03b6e315fd7694ffa22d948adbe2f3eb38f5eb5ed4c1fad545
SSDEEP

196608:MOJ9gF/d8f23gg1tvLpPEBKqY1iyvB6nBtPISH95B08fVBTyRKfqrUM+kLsOiLlU:MOJ9gF/d8f23gg1ZLpPEBKqY1iyvB6n6

Score

10^/10

hijackloader rhadamanthys discovery loader stealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://5.42.99.131:443/e0bd9c1f4515facb49/m58gpf5u.6eabm

Signatures

Detects HijackLoader (aka IDAT Loader) 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1980-0-0x0000000000400000-0x0000000000F1A000-memory.dmp	family_hijackloader
behavioral2/memory/1980-16-0x0000000000400000-0x0000000000F1A000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 968 created 2664 968 explorer.exe sihost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2352 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

0024f2af21d239ce45c14ce295b28ac2.exe

description pid process target process

PID 1980 set thread context of 2352 1980 0024f2af21d239ce45c14ce295b28ac2.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 968 created 2664	968	explorer.exe	sihost.exe

pid	process
2352	cmd.exe

description	pid	process	target process
PID 1980 set thread context of 2352	1980	0024f2af21d239ce45c14ce295b28ac2.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0024f2af21d239ce45c14ce295b28ac2.execmd.exeexplorer.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0024f2af21d239ce45c14ce295b28ac2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

0024f2af21d239ce45c14ce295b28ac2.execmd.exeexplorer.exeopenwith.exe

pid	process
1980	0024f2af21d239ce45c14ce295b28ac2.exe
1980	0024f2af21d239ce45c14ce295b28ac2.exe
2352	cmd.exe
2352	cmd.exe
968	explorer.exe
968	explorer.exe
3628	openwith.exe
3628	openwith.exe
3628	openwith.exe
3628	openwith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0024f2af21d239ce45c14ce295b28ac2.execmd.exe

pid process

1980 0024f2af21d239ce45c14ce295b28ac2.exe
2352 cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0024f2af21d239ce45c14ce295b28ac2.execmd.exeexplorer.exe

description	pid	process	target process
PID 1980 wrote to memory of 2352	1980	0024f2af21d239ce45c14ce295b28ac2.exe	cmd.exe
PID 1980 wrote to memory of 2352	1980	0024f2af21d239ce45c14ce295b28ac2.exe	cmd.exe
PID 1980 wrote to memory of 2352	1980	0024f2af21d239ce45c14ce295b28ac2.exe	cmd.exe
PID 1980 wrote to memory of 2352	1980	0024f2af21d239ce45c14ce295b28ac2.exe	cmd.exe
PID 2352 wrote to memory of 968	2352	cmd.exe	explorer.exe
PID 2352 wrote to memory of 968	2352	cmd.exe	explorer.exe
PID 2352 wrote to memory of 968	2352	cmd.exe	explorer.exe
PID 2352 wrote to memory of 968	2352	cmd.exe	explorer.exe
PID 968 wrote to memory of 3628	968	explorer.exe	openwith.exe
PID 968 wrote to memory of 3628	968	explorer.exe	openwith.exe
PID 968 wrote to memory of 3628	968	explorer.exe	openwith.exe
PID 968 wrote to memory of 3628	968	explorer.exe	openwith.exe
PID 968 wrote to memory of 3628	968	explorer.exe	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2664
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3628

C:\Users\Admin\AppData\Local\Temp\0024f2af21d239ce45c14ce295b28ac2.exe
"C:\Users\Admin\AppData\Local\Temp\0024f2af21d239ce45c14ce295b28ac2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e9156231

Filesize
1.1MB

MD5
ed2f3cc735316c12871b2aaf4a3a37ec

SHA1
5064cd1b197b7f80be792df7a94a371a0b6d6ce2

SHA256
bf37a719aaa5842404c013c4c0b1244b49d83f183af5286d790f0e2a16c17bf3

SHA512
e8cc1fb8136bfd04cb198e0c4f5fbbf48838f5c5119ed51bb162853187e558061df719a251631d498335556e7f6852fd1af84a96d917d2e065acb88b952c3d86

Download Submit
memory/968-37-0x00000000046E0000-0x0000000004AE0000-memory.dmp

Filesize
4.0MB

Download
memory/968-36-0x00000000046E0000-0x0000000004AE0000-memory.dmp

Filesize
4.0MB

Download
memory/968-35-0x0000000000A73000-0x0000000000A7B000-memory.dmp

Filesize
32KB

Download
memory/968-33-0x00000000003A0000-0x0000000000420000-memory.dmp

Filesize
512KB

Download
memory/968-38-0x00000000003A0000-0x0000000000420000-memory.dmp

Filesize
512KB

Download
memory/968-32-0x00007FFFB3DD0000-0x00007FFFB3FC5000-memory.dmp

Filesize
2.0MB

Download
memory/968-31-0x00000000003A0000-0x0000000000420000-memory.dmp

Filesize
512KB

Download
memory/968-43-0x0000000000990000-0x0000000000DC3000-memory.dmp

Filesize
4.2MB

Download
memory/968-41-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/968-50-0x00000000003A0000-0x0000000000420000-memory.dmp

Filesize
512KB

Download
memory/1980-18-0x00007FFFB3DD0000-0x00007FFFB3FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1980-21-0x0000000074330000-0x00000000744AB000-memory.dmp

Filesize
1.5MB

Download
memory/1980-0-0x0000000000400000-0x0000000000F1A000-memory.dmp

Filesize
11.1MB

Download
memory/1980-19-0x0000000074343000-0x0000000074345000-memory.dmp

Filesize
8KB

Download
memory/1980-20-0x0000000074330000-0x00000000744AB000-memory.dmp

Filesize
1.5MB

Download
memory/1980-17-0x0000000074330000-0x00000000744AB000-memory.dmp

Filesize
1.5MB

Download
memory/1980-16-0x0000000000400000-0x0000000000F1A000-memory.dmp

Filesize
11.1MB

Download
memory/1980-1-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download
memory/2352-24-0x0000000074330000-0x00000000744AB000-memory.dmp

Filesize
1.5MB

Download
memory/2352-30-0x0000000074330000-0x00000000744AB000-memory.dmp

Filesize
1.5MB

Download
memory/2352-28-0x0000000074330000-0x00000000744AB000-memory.dmp

Filesize
1.5MB

Download
memory/2352-27-0x0000000074330000-0x00000000744AB000-memory.dmp

Filesize
1.5MB

Download
memory/2352-26-0x00007FFFB3DD0000-0x00007FFFB3FC5000-memory.dmp

Filesize
2.0MB

Download
memory/3628-42-0x0000000000B60000-0x0000000000B69000-memory.dmp

Filesize
36KB

Download
memory/3628-45-0x0000000002A20000-0x0000000002E20000-memory.dmp

Filesize
4.0MB

Download
memory/3628-48-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/3628-46-0x00007FFFB3DD0000-0x00007FFFB3FC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads