hijackloader | 2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe

General

Target

ram.exe
Size

9.4MB
MD5

ba0767946d9cac95fd727d7076c7fec1
SHA1

31c713eabc90f61b44703a8d30e7ced6e2941f23
SHA256

2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe
SHA512

cd9398e8319068d44149fad6329c788d83ff400be30d29b89f0151aabfd9b340c0beb6f2773f2530a098e0cd304990f919f7c84536d719f46650fe99766ef048
SSDEEP

196608:1LX8vpjby5OkoeYXp0leGQ7WWb+6otLwGwP55ar9kCmlwe1Xf/Ohz2+lLqKj:1Ivxy58eYXm7Q7WWb+5L+5Mr9k3d1XfN

Score

10^/10

hijackloader rhadamanthys discovery loader stealer

Malware Config

Extracted

Family

rhadamanthys

C2

http://91.103.140.200:9078/3936a074a2f65761a5eb8/6fmfpmi7.fwf4p

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/3388-0-0x0000000000430000-0x0000000000DAC000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3528 created 2500	3528	explorer.exe	42

Deletes itself 1 IoCs

pid	Process
3232	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3388 set thread context of 3232	3388	ram.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3388	ram.exe
3388	ram.exe
3232	cmd.exe
3232	cmd.exe
3528	explorer.exe
3528	explorer.exe
3004	openwith.exe
3004	openwith.exe
3004	openwith.exe
3004	openwith.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3388	ram.exe
3232	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3232	3388	ram.exe	86
PID 3388 wrote to memory of 3232	3388	ram.exe	86
PID 3388 wrote to memory of 3232	3388	ram.exe	86
PID 3388 wrote to memory of 3232	3388	ram.exe	86
PID 3232 wrote to memory of 3528	3232	cmd.exe	100
PID 3232 wrote to memory of 3528	3232	cmd.exe	100
PID 3232 wrote to memory of 3528	3232	cmd.exe	100
PID 3232 wrote to memory of 3528	3232	cmd.exe	100
PID 3528 wrote to memory of 3004	3528	explorer.exe	102
PID 3528 wrote to memory of 3004	3528	explorer.exe	102
PID 3528 wrote to memory of 3004	3528	explorer.exe	102
PID 3528 wrote to memory of 3004	3528	explorer.exe	102
PID 3528 wrote to memory of 3004	3528	explorer.exe	102

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2500
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

C:\Users\Admin\AppData\Local\Temp\ram.exe
"C:\Users\Admin\AppData\Local\Temp\ram.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11c43b72

Filesize
1.1MB

MD5
6230e2981dc0f08903655a52ee22354d

SHA1
ab0ead346e918b698a75abf8eeab5a841cdb58b0

SHA256
2ad7efaee2f86810f85a38db38272400735b29d5ebe4ebf47ff5847901b899e3

SHA512
b25fc9220d40946e14c6a5d59fec16f72f1db5d84e8963fbf9bd331a230c78fc9cae3757d8f2521ab8ee71e0fbb6ea6c9e19aa7e0d81a63977fd05f844d657d3

Download Submit
memory/3004-30-0x00007FF8382B0000-0x00007FF8384A5000-memory.dmp

Filesize
2.0MB

Download
memory/3004-32-0x0000000076220000-0x0000000076435000-memory.dmp

Filesize
2.1MB

Download
memory/3004-29-0x0000000002460000-0x0000000002860000-memory.dmp

Filesize
4.0MB

Download
memory/3004-25-0x00000000008B0000-0x00000000008B9000-memory.dmp

Filesize
36KB

Download
memory/3232-11-0x00000000751F0000-0x000000007536B000-memory.dmp

Filesize
1.5MB

Download
memory/3232-13-0x00000000751F0000-0x000000007536B000-memory.dmp

Filesize
1.5MB

Download
memory/3232-7-0x00000000751F0000-0x000000007536B000-memory.dmp

Filesize
1.5MB

Download
memory/3232-9-0x00007FF8382B0000-0x00007FF8384A5000-memory.dmp

Filesize
2.0MB

Download
memory/3232-10-0x00000000751F0000-0x000000007536B000-memory.dmp

Filesize
1.5MB

Download
memory/3388-4-0x00000000751F0000-0x000000007536B000-memory.dmp

Filesize
1.5MB

Download
memory/3388-5-0x00000000751F0000-0x000000007536B000-memory.dmp

Filesize
1.5MB

Download
memory/3388-0-0x0000000000430000-0x0000000000DAC000-memory.dmp

Filesize
9.5MB

Download
memory/3388-3-0x0000000075203000-0x0000000075205000-memory.dmp

Filesize
8KB

Download
memory/3388-2-0x00007FF8382B0000-0x00007FF8384A5000-memory.dmp

Filesize
2.0MB

Download
memory/3388-1-0x00000000751F0000-0x000000007536B000-memory.dmp

Filesize
1.5MB

Download
memory/3528-14-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3528-20-0x0000000003E40000-0x0000000004240000-memory.dmp

Filesize
4.0MB

Download
memory/3528-23-0x0000000000830000-0x0000000000C63000-memory.dmp

Filesize
4.2MB

Download
memory/3528-24-0x0000000076220000-0x0000000076435000-memory.dmp

Filesize
2.1MB

Download
memory/3528-19-0x0000000003E40000-0x0000000004240000-memory.dmp

Filesize
4.0MB

Download
memory/3528-27-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3528-18-0x0000000000913000-0x000000000091B000-memory.dmp

Filesize
32KB

Download
memory/3528-16-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3528-15-0x00007FF8382B0000-0x00007FF8384A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing