Overview

overview

10

Static

static

3

Cozy Setup.exe

windows10-2004-x64

10

Cozy Setup.exe

windows11-21h2-x64

10

Resubmissions

01-09-2024 20:43

240901-zhrxqs1hpa 10

01-09-2024 20:30

240901-zalqra1fqd 7

01-09-2024 20:06

240901-yvmm4s1cmc 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Cozy Setup.exe

  • Size

    75.0MB

  • Sample

    240901-zhrxqs1hpa

  • MD5

    068eaf8b3b110ee23dc4fef1a869cb23

  • SHA1

    18c4481f160a58fd4ea0e26af83cc6bdf14ef4c8

  • SHA256

    942eac71508e78e453a97cf39154d8f36c8f0c37a9facaa3c3190466d02ae426

  • SHA512

    73d7e9b89430a5e738639b3f95b94494c0b35c9e764920cce4b3eb55a0211988f035664d3407e27f0d9da3a63cc824df939a3b83625aaf28f16c06fb35996971

  • SSDEEP

    1572864:kRu/x6vSa4mq+it03SZurRov2WS0SJwyQPYymwjrujiHR:kRx6r+2srWW19QP/jrujix

Score
10/10
hijackloaderrhadamanthysstealcbenjiworld29credential_accessdiscoveryloaderspywarestealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://193.188.20.191:443/e0bd9c1f4515facb49/eehcla05.c4ft8

Extracted

Family

stealc

Botnet

benjiworld29

C2

http://5.188.87.35

Attributes
  • url_path

    /3d7617bd9d626b25.php

Targets

    • Target

      Cozy Setup.exe

    • Size

      75.0MB

    • MD5

      068eaf8b3b110ee23dc4fef1a869cb23

    • SHA1

      18c4481f160a58fd4ea0e26af83cc6bdf14ef4c8

    • SHA256

      942eac71508e78e453a97cf39154d8f36c8f0c37a9facaa3c3190466d02ae426

    • SHA512

      73d7e9b89430a5e738639b3f95b94494c0b35c9e764920cce4b3eb55a0211988f035664d3407e27f0d9da3a63cc824df939a3b83625aaf28f16c06fb35996971

    • SSDEEP

      1572864:kRu/x6vSa4mq+it03SZurRov2WS0SJwyQPYymwjrujiHR:kRx6r+2srWW19QP/jrujix

    Score
    10/10
    hijackloaderrhadamanthysstealcbenjiworld29credential_accessdiscoveryloaderspywarestealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

      loaderhijackloader

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks