hijackloader | 63e5a6fedf34169383b050dc321dd9e13ef9d37938ea737e45726059e852d7a0 | Triage

Sharing

General

Target

Ravion.exe
Size

49.7MB
Sample

241009-nte7jatdjr
MD5

a88316d4c2e9a42e7b301bc295781793
SHA1

aa0079be546b312a2dbe8b5a92666c9298474164
SHA256

63e5a6fedf34169383b050dc321dd9e13ef9d37938ea737e45726059e852d7a0
SHA512

4975426215db50165d76405843944087ce24630b89966f63f0190a0538ebea1ee4be996b29f00047b80ba767a8f6edd7e23e1e8f734e3de09b37c5d4c11011f0
SSDEEP

1572864:Hnx/dfByIQZBIvqA2fmb+DXz7o1Yca05xesr:HxlfB+C2fmbCo1dz5UA

Score

10^/10

hijackloader stealc sneprivate5 credential_access discovery execution loader spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

sneprivate5

C2

http://5.188.87.42

Attributes

url_path
/aa6217b8854aa121.php

Targets

- Target
  
  Ravion.exe
- Size
  
  49.7MB
- MD5
  
  a88316d4c2e9a42e7b301bc295781793
- SHA1
  
  aa0079be546b312a2dbe8b5a92666c9298474164
- SHA256
  
  63e5a6fedf34169383b050dc321dd9e13ef9d37938ea737e45726059e852d7a0
- SHA512
  
  4975426215db50165d76405843944087ce24630b89966f63f0190a0538ebea1ee4be996b29f00047b80ba767a8f6edd7e23e1e8f734e3de09b37c5d4c11011f0
- SSDEEP
  
  1572864:Hnx/dfByIQZBIvqA2fmb+DXz7o1Yca05xesr:HxlfB+C2fmbCo1dz5UA
Score

10^/10

discovery hijackloader stealc sneprivate5 credential_access execution loader spyware stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

hijackloaderstealcsneprivate5credential_accessdiscoveryexecutionloaderspywarestealer