hijackloader | dcbb21552ba0d2d59e7d3c7d8fc746287a3d716e03ee43f46496eda931d880d4 | Triage

Submit
Reports

Overview

overview

Static

static

1

ZoomMeetings.exe

windows7-x64

ZoomMeetings.exe

windows10-2004-x64

7

Sharing

General

Target

ZoomMeetings.exe
Size

170.3MB
Sample

241013-gf5rpswdrj
MD5

f29bda123b1f5a34269116a30053ba05
SHA1

18883525e62afcdebaa4449b986a631c2086c549
SHA256

dcbb21552ba0d2d59e7d3c7d8fc746287a3d716e03ee43f46496eda931d880d4
SHA512

e675b6f9e6ec6e04e7256114e3c9baa8f370b254d6192f71484170700c7b1311ac2dd5268188e97cb05091b33f92cb377cf720dbc2de98030cd22835d04814df
SSDEEP

786432:UCRzGLMBtpQshlXi9vnrXNAYKCxoQ4MAXGoJ7tpaXc+Ex8C93CfhMtc3jJdDTvuH:UUGwPXy9vucoDMI8Xc223Sp6H

Score

10^/10

hijackloader rhadamanthys stealc discovery loader stealer

Static task

static1

Behavioral task

behavioral1

Sample

ZoomMeetings.exe

Resource

win7-20240903-en

hijackloader rhadamanthys stealc discovery loader stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

ZoomMeetings.exe

Resource

win10v2004-20241007-en

windows10-2004-x64

2 signatures

150 seconds

Malware Config

Extracted

Family

rhadamanthys

C2

http://91.103.140.200:9078/3936a074a2f65761a5eb8/6fmfpmi7.fwf4p

Targets

- Target
  
  ZoomMeetings.exe
- Size
  
  170.3MB
- MD5
  
  f29bda123b1f5a34269116a30053ba05
- SHA1
  
  18883525e62afcdebaa4449b986a631c2086c549
- SHA256
  
  dcbb21552ba0d2d59e7d3c7d8fc746287a3d716e03ee43f46496eda931d880d4
- SHA512
  
  e675b6f9e6ec6e04e7256114e3c9baa8f370b254d6192f71484170700c7b1311ac2dd5268188e97cb05091b33f92cb377cf720dbc2de98030cd22835d04814df
- SSDEEP
  
  786432:UCRzGLMBtpQshlXi9vnrXNAYKCxoQ4MAXGoJ7tpaXc+Ex8C93CfhMtc3jJdDTvuH:UUGwPXy9vucoDMI8Xc223Sp6H
Score

10^/10

hijackloader rhadamanthys stealc discovery loader stealer
- Detects HijackLoader (aka IDAT Loader)
- HijackLoader
  HijackLoader is a multistage loader first seen in 2023.
  loader hijackloader
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

hijackloaderrhadamanthysstealcdiscoveryloaderstealer

behavioral2

© 2018-2024

Terms | Privacy